ZPA Authentication Timeout Policy - Enforce Use of Login Credentials

We have many customers asking why, when the ZPA timeout policy occurs, that users are not prompted to login using their credentials with enforced MFA. I’ve been informed by Zscaler TAC that this is because the ZCC uses a persistent SAML session token stored in the browser cache to re-authenticate the user automatically and is related to Integrated Windows Authentication (IWA).

This has raised some security concerns and we’d like a solution to ensure that users are required to enter their credentials manually when the timeout policy is triggered.

I understand the default lifetime for Microsoft SAML session tokens is 90 days, so we’ve tried using Azure conditional access policies to disable persistent browser sessions and enforce session sign-in frequencies, but this has not resolved the problem. We use Azure AD as the IdP for ZPA.

Has anyone found a working solution for this problem?

Have a client with the same concerns, not sure if someone knows an answer.

Unfortunately I’ve still not heard anything back regarding this and now have multiple customer deployments asking the same question. Zscaler TAC have advised that this is not a Zscaler configuration problem or bug and is related to Microsoft Azure AD authentication policy.

Either way it would be helpful to get recommendation from Zscaler on this as I’m sure its a common query with ZPA timeout policy and MFA enforcement when re-authenticating to the service.

Hello Adam,
I just found this thread and it came to my attention since same thing is happening for us.

After the 7 days, users are NOT being asked to re-authenticate, it looks like the re-authentication happens on the background because the timeout policy logs are there. But users never actually did anything to reauthenticate again.

Did you get an answer from Zscaler TAC yet?

if you check the sign-in logs in Azure AD, you should see the user is actually authenticating but it’s happening without any prompt. You can configure a conditional access policy in Azure AD to enforce a login and/or MFA.