Create a Post
Showing results for 
Search instead for 
Did you mean: 

Forcing VPN with SAML (Google SSO) to re-authenticate

Here's another wired request from the crazy kiwi. 
I have configured the Remote Access VPN to use Google SSO through a SMAL app. This seems to be working fine, however for further testing I wish to force my client to log out, including from the SSO session to force the 2FA again.

The process is I log on from the client for the first time on a device and I am prompted for a username and password, then for the Google MFA. This is fine, it's accepted and the VPN establishes. once I am finished with the VPN I can disconnect. 

The next time I reconnect it doesn't prompt for anything, which from a user point of view is perfect. No username / password / 2fa just straight in. The secure way is the easy way. 

However for testing I wish to force my account to log out fully, requiring the username / password / 2fa again, and I can't work out how to achieve this from the client. I have even gone as far as deleting and reinstalling the client, however even then it only asks for a username and password as somewhere in the background Google magic knows I've recently done the 2fa so it just works. 

From the client / desktop side I he logged out from my google account and revoked all trusted devices but to no avail. 

Is there some way from the client side I can force my account to require the 2fa like it was a new connection every time? 

I'm wondering if this might be stored in the registry, or in a cookie or something like that. 

0 Kudos
1 Reply

To achieve the desired behavior, you have to have ForceAuthn set to true as part of the SAML request.
This is not done by default currently, but a fix for this can be obtained from the TAC by referencing TM-34402.

0 Kudos