topic Re: SAML authentication token timeout/revocation for remote access VPN in SASE and Remote Access

SAML authentication token timeout/revocation for remote access VPN

Sam2 — Thu, 07 Jul 2022 17:41:40 GMT

Does anyone know if the full endpoint client will periodically check if the saml token used for VPN auth is still valid? Does it check when the tunnel is renegotiated when it reaches its timeout?

In testing I had my saml token revoked, all my ms office products immediately forced a re-auth but the VPN client has remained connected, curious if there is an official answer to how revoking a saml token will impact the vpn.

Re: SAML authentication token timeout/revocation for remote access VPN

PhoneBoy — Thu, 07 Jul 2022 17:50:00 GMT

If it's consistent with how it works for other authentication methods, it's done at the re-authentication timer.

Re: SAML authentication token timeout/revocation for remote access VPN

Abhi_G — Tue, 28 Nov 2023 18:15:59 GMT

How the re-authentication will happen with browser base SAML authentication? If it happens, What is the time interval for re-authentication?
How we can enforce to re-authentication any specific user?

Any suggestions on this? @PhoneBoy

Re: SAML authentication token timeout/revocation for remote access VPN

PhoneBoy — Tue, 28 Nov 2023 23:38:50 GMT

The browser should pop-up to request authentication again.
However, whether the user needs to re-authenticate or not depends entirely on the IdP configuration.
In general, when using SAML Auth, these settings must be configured in the IdP.
Consult the relevant documentation for your IdP.
You can force the entire authentication flow every time using the following SK, but it applies to every user: https://support.checkpoint.com/results/sk/sk180948