I'm working on setting up a Palo Alto enterprise app to authenticate users via SAML through the portal. Everything is configured correctly, with the correct certificates assigned and a test group set up. However, I'm facing an issue: when my test user connects to the VPN using the Azure app for authentication, it doesn't prompt for MFA—it just connects right away. On the other hand, a similar Palo Alto app that's set up exactly the same way (but assigned to different groups) does prompt for MFA. I've checked the conditional access policy regarding MFA, and both groups are listed as requiring it. I'm puzzled about why SAML wouldn't trigger an MFA prompt. Has anyone experienced this issue before?
3 Answers
It sounds like you've already looked into session data issues. Sometimes, apps hold onto problematic session cookies that can cause these kinds of issues, so cleaning that out might help. If you've already removed and recreated the app without success, you might want to check if there's something else lingering session-related that needs to be cleared.
Make sure to dive into the Sign-In Logs. Look specifically at the Authentication Requirement (Multifactor Authentication) field. If it's showing that MFA is required, it might just be that the Primary Refresh Token (PRT) for the user already has the MFA imprinted. If it's showing 'Single-Factor Authentication', then there's likely something missing in the Conditional Access Policies.
The logs do indicate that MFA is required for the user. I've checked both the problematic app and the one that works, and they both show the same MFA requirements. It's really confusing why one prompts and the other doesn’t.
Since you're using Entra as the IdP, it's crucial to double-check the sign-in logs to ensure the conditional access policies are being applied correctly. If everything looks good on that front, take a close look at the authentication details. Was the MFA requirement fulfilled?
I did review the logs, and the conditional access policy is applied successfully. It indicates that MFA is required and fulfilled. It’s almost like MFA is happening automatically in the background without a prompt, which is strange.
Thanks for the suggestion! I did try removing the app and setting it up again, but I'm still seeing the same problem.