ZPA Authentication Timeout Policy - Enforce Use of Login Credentials

We have many customers asking why, when the ZPA timeout policy occurs, that users are not prompted to login using their credentials with enforced MFA. I’ve been informed by Zscaler TAC that this is because the ZCC uses a persistent SAML session token stored in the browser cache to re-authenticate the user automatically and is related to Integrated Windows Authentication (IWA).

This has raised some security concerns and we’d like a solution to ensure that users are required to enter their credentials manually when the timeout policy is triggered.

I understand the default lifetime for Microsoft SAML session tokens is 90 days, so we’ve tried using Azure conditional access policies to disable persistent browser sessions and enforce session sign-in frequencies, but this has not resolved the problem. We use Azure AD as the IdP for ZPA.

Has anyone found a working solution for this problem?

Have a client with the same concerns, not sure if someone knows an answer.

Unfortunately I’ve still not heard anything back regarding this and now have multiple customer deployments asking the same question. Zscaler TAC have advised that this is not a Zscaler configuration problem or bug and is related to Microsoft Azure AD authentication policy.

Either way it would be helpful to get recommendation from Zscaler on this as I’m sure its a common query with ZPA timeout policy and MFA enforcement when re-authenticating to the service.

Hello Adam,
I just found this thread and it came to my attention since same thing is happening for us.

After the 7 days, users are NOT being asked to re-authenticate, it looks like the re-authentication happens on the background because the timeout policy logs are there. But users never actually did anything to reauthenticate again.

Did you get an answer from Zscaler TAC yet?

if you check the sign-in logs in Azure AD, you should see the user is actually authenticating but it’s happening without any prompt. You can configure a conditional access policy in Azure AD to enforce a login and/or MFA.

Is there some way to configure ZPA to force SAML reauthentication at every connection session similar to the setting in Cisco ASA?

Check this link and scroll down to the “Wrapping Up” section.

That optional config setting on the Cisco side forces a full reauthentication where the user has to sign in and do a new MFA to connect to VPN even if the user had cached session credentials from another Azure cloud app.
The fact that the setting exists for Cisco proves this is something technically possible to do from the application side.
I’m looking for an equivalent option for ZPA.

We had the same issue and opened a case with Microsoft (we use Azure AD with Conditional Access policies). Microsoft said that in our case, since our users have Azure AD Hybrid joined devices, this is expected behavior and there is nothing we can do about it. Microsoft considers logging into Windows with password one factor, and Hybrid Joined as a 2nd factor, so the Conditional Access policy considers the MFA requirement satisfied and will not allow you to force “additional” MFA. It seems crazy to me that Microsoft would not let the customer make that decision, but we escalated and requested confirmation and they came back with the same answer.

It would be nice if Zscaler allowed 3rd party MFA integration directly into ZPA but I don’t think they have any plans for that.

That isn’t true that nothing can be done about it or AnyConnect wouldn’t be able to do it.
See ForceAuthN

Microsoft can’t fix it on their side. ZScaler has to send the specific SAML requests to require reauthentication.

That’s right, the application (ZPA) needs to be changed to leverage the sign-in frequency feature that is configured in Azure AD Conditional Access policies. We have our sign-in frequency set at 1h in AAD CA (to demonstrate this is not enforced on ZPA side) but still have to wait for the 3 days configured in ZPA timeout policy before Azure MFA can be triggered.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency

Quoting: “The sign-in frequency setting works with SAML applications as well, as long as they do not drop their own cookies and are redirected back to Azure AD for authentication on regular basis.”

On top of that, ZPA could as well support Continuous Access Evaluation (CAE) to react almost immediately to critical events such as user deactivation, password reset or revoking all refresh tokens.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-resilience-continuous-access-evaluation