ZPA Authentication Timeout Policy - Enforce Use of Login Credentials

We have many customers asking why, when the ZPA timeout policy occurs, that users are not prompted to login using their credentials with enforced MFA. I’ve been informed by Zscaler TAC that this is because the ZCC uses a persistent SAML session token stored in the browser cache to re-authenticate the user automatically and is related to Integrated Windows Authentication (IWA).

This has raised some security concerns and we’d like a solution to ensure that users are required to enter their credentials manually when the timeout policy is triggered.

I understand the default lifetime for Microsoft SAML session tokens is 90 days, so we’ve tried using Azure conditional access policies to disable persistent browser sessions and enforce session sign-in frequencies, but this has not resolved the problem. We use Azure AD as the IdP for ZPA.

Has anyone found a working solution for this problem?

Have a client with the same concerns, not sure if someone knows an answer.