ZPA Authentication Timeout Policy - Enforce Use of Login Credentials

We have many customers asking why, when the ZPA timeout policy occurs, that users are not prompted to login using their credentials with enforced MFA. I’ve been informed by Zscaler TAC that this is because the ZCC uses a persistent SAML session token stored in the browser cache to re-authenticate the user automatically and is related to Integrated Windows Authentication (IWA).

This has raised some security concerns and we’d like a solution to ensure that users are required to enter their credentials manually when the timeout policy is triggered.

I understand the default lifetime for Microsoft SAML session tokens is 90 days, so we’ve tried using Azure conditional access policies to disable persistent browser sessions and enforce session sign-in frequencies, but this has not resolved the problem. We use Azure AD as the IdP for ZPA.

Has anyone found a working solution for this problem?

Have a client with the same concerns, not sure if someone knows an answer.

Unfortunately I’ve still not heard anything back regarding this and now have multiple customer deployments asking the same question. Zscaler TAC have advised that this is not a Zscaler configuration problem or bug and is related to Microsoft Azure AD authentication policy.

Either way it would be helpful to get recommendation from Zscaler on this as I’m sure its a common query with ZPA timeout policy and MFA enforcement when re-authenticating to the service.