A drawback to SAML auth is that when connecting to VPN it just logs you straight in - no further auth needed (assuming your machine/browser is already logged into your MS365 account).
For some this is fine. For others it isn't, and they still want to be prompted for some credentials when logging into VPN.
There's a nice little hack to the /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php file, to set
forceAuthn=true
This forces you to do a full login every time. I.e. manually typing your username, password, then responding to MFA. At the end of the sign-in you get the box to save details so you don't have to enter them every time. But that effectively does nothing. Next time you log in, you still have to do the entire authentication bit again.
But that's what I just set in the file above, so what's the problem?
Does anybody know of a way to achieve a halfway house on this? For example, rather than manually having to type my email & password every time, is there an option available to JUST prompt for the MFA on each login?
I've got several customers using this. They're not happy without "forceAuthn=true" because they get no prompts at all. But they're also not happy with having to manually type the email & password every time either. They just want the MFA bit. Is there a way??
I thought the problem of having to manually enter full credentials every time was linked to the SAML pop-up window not using the machine browser's cached info. I was hoping that E87.30 (using the machine default browser) would fix this and remember who is logged in, therefore only prompting for MFA, but it doesn't 😞
Does anyone know any tricks to make VPN login prompt every time for MFA, without requiring the full username/password too?