Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nzmatto1
Contributor

Forcing VPN with SAML (Google SSO) to re-authenticate

Here's another wired request from the crazy kiwi. 
I have configured the Remote Access VPN to use Google SSO through a SMAL app. This seems to be working fine, however for further testing I wish to force my client to log out, including from the SSO session to force the 2FA again.

The process is I log on from the client for the first time on a device and I am prompted for a username and password, then for the Google MFA. This is fine, it's accepted and the VPN establishes. once I am finished with the VPN I can disconnect. 

The next time I reconnect it doesn't prompt for anything, which from a user point of view is perfect. No username / password / 2fa just straight in. The secure way is the easy way. 

However for testing I wish to force my account to log out fully, requiring the username / password / 2fa again, and I can't work out how to achieve this from the client. I have even gone as far as deleting and reinstalling the client, however even then it only asks for a username and password as somewhere in the background Google magic knows I've recently done the 2fa so it just works. 

From the client / desktop side I he logged out from my google account and revoked all trusted devices but to no avail. 

Is there some way from the client side I can force my account to require the 2fa like it was a new connection every time? 

I'm wondering if this might be stored in the registry, or in a cookie or something like that. 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

To achieve the desired behavior, you have to have ForceAuthn set to true as part of the SAML request.
This is not done by default currently, but a fix for this can be obtained from the TAC by referencing TM-34402.

0 Kudos
Agent_Smith
Contributor

We're using MS saml. I want to disable all network access unless VPNd, how can I do that?

0 Kudos
Icaro_IT
Explorer

Hello nzmatto 1
Can u share how you configure SAML with Google? I'm try, but not work working.
Are u make SAML Attribute Mapping on Google? If yes, how your configurated?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events