Hi @PhoneBoy , Thanks for your reply I appreciate it. The behavior is completely different than what we see on Mobile Access. We using the IdP (authenticate to an SSO portal of the IdP) so the session is kept on the browser, hence when we log off from mobile access page and log back in we send the SAML request and IdP identifies you as logged in on portal and sends back success to checkpoint and it doesn't re auth. however in the VPN client this doesn't happen ,it re auth everytime, what we want is to do the SSO normally with the VPN client using the session timeout of the IdP of that portal , same behavior like Mobile Access. So I guess the question is what is the difference between Mobile access and vpn client embedded browser for SSO to work? I also saw a video on youtube for a guy doing Azure AD and he manually logged off and he was re prompted again. So how can we make SSO work as long as the session to IdP is active (same as mobile access) ? 

Thanks in advance !

- Dawoud

@PhoneBoy  Client version: Client E86.50, Gateway & Management server Version R81.10 and Latest Jumbo hotfix (Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T78_FULL) we applied the script on management server too. 

I assume MAB and Remote Access VPN are using different sessions for authentication similar to using two different browsers on the same system (e.g. Firefox and Chrome) that authenticate against the IdP.
Each browser session has to be authenticate separately in that case.
Getting them to use the same session (thus the SSO "works" for both VPN and MAB authenticating only once) is probably an RFE.

@PhoneBoy So are you saying that VPN client doesn't support SSO but supports only SAML at the moment ? Is there any ticket opened for this internally maybe ?  Kindly confirm if you can, thanks a lot for your time on this so far !

- Dawoud

@PhoneBoy That is fine , I am convinced with this as well, there is a workaround in place anyway for this, I will increase auth timeout a little bit so re auth happens maybe once a day for the users. Thanks a ton for your time so far in this @PhoneBoy . I appreciate it a ton !

- Dawoud

To remand my answer above: you actually need to set ForceAuthn on the Azure IDP side of things to true instead of apply the "bugfix" in TM-34402.
Likewise, if you want to leverage the SSO of the IdP, ForceAuthn needs to be set to false (again, in AzureAD).

Hi @PhoneBoy , are you saying that it is possible to request the 2nd-Factor each time the RA VPN session is terminated?

My current challenge is that with AZURE MFA set, when an VPN session is terminated and shortly re-established, the user is not prompted for the 2nd factor - this is not ideal for my organization. The request is that each RA VPN session on termination and re-establishment must do the complete auth-plus-2nd_factor auth.

I have checked with my Azure admin, the minimum token validity duration is 60minutes before the token expires - this doesn't meet the design requirements as this is too long a period of validity.

Thank you, I have done the suggested changes and so far so good - each time a VPN session is ended, even within a minute of attempting login, the user is authenticated 2-ways - I am happy with the solution.