https://community.cisco.com/t5/network-security/fmc-admin-login-with-mfa/m-p/5151318#M1114653 <P>We have successfully tested SSO with MFA logon to the FMC. However, when we attempt to logout, we receive the following message&nbsp;</P><P><SPAN>You are logged in using SSO provided by Azure. To protect your Firewall Management Center account from unauthorized access, you must separately end your Azure IdP session.</SPAN></P><P>There is a button labeled "Redirect to Azure for Log Out."</P><P>Clicking that button redirects me to my MS 365 home page.</P><P>Subsequent logon attempts to the FMC allows me right into the console without 1st or 2nd factor authentication.&nbsp;</P><P>I know that this is the basic premise for SSO...but I wanted to know if there was a way to terminate a session so that I am not allowed directly back into the console without being challenged.</P> Thu, 25 Jul 2024 20:36:53 GMT Danny Dulin 2024-07-25T20:36:53Z https://community.cisco.com/t5/network-security/fmc-admin-login-with-mfa/m-p/5151318#M1114653 <P>We have successfully tested SSO with MFA logon to the FMC. However, when we attempt to logout, we receive the following message&nbsp;</P><P><SPAN>You are logged in using SSO provided by Azure. To protect your Firewall Management Center account from unauthorized access, you must separately end your Azure IdP session.</SPAN></P><P>There is a button labeled "Redirect to Azure for Log Out."</P><P>Clicking that button redirects me to my MS 365 home page.</P><P>Subsequent logon attempts to the FMC allows me right into the console without 1st or 2nd factor authentication.&nbsp;</P><P>I know that this is the basic premise for SSO...but I wanted to know if there was a way to terminate a session so that I am not allowed directly back into the console without being challenged.</P> Thu, 25 Jul 2024 20:36:53 GMT https://community.cisco.com/t5/network-security/fmc-admin-login-with-mfa/m-p/5151318#M1114653 Danny Dulin 2024-07-25T20:36:53Z https://community.cisco.com/t5/network-security/fmc-admin-login-with-mfa/m-p/5151328#M1114655 <P>since you are using the browser you are bound by the M365 login already there... but there are some workarounds you can implement:</P> <P><A href="https://www.reddit.com/r/AZURE/comments/xrupux/conditional_access_require_mfa_every_single_time/" target="_blank">https://www.reddit.com/r/AZURE/comments/xrupux/conditional_access_require_mfa_every_single_time/</A></P> <P><A href="https://learn.microsoft.com/en-us/answers/questions/1107473/how-to-make-an-azure-enterprise-application-always" target="_blank">https://learn.microsoft.com/en-us/answers/questions/1107473/how-to-make-an-azure-enterprise-application-always</A></P> <P>&nbsp;</P> Thu, 25 Jul 2024 21:13:18 GMT https://community.cisco.com/t5/network-security/fmc-admin-login-with-mfa/m-p/5151328#M1114655 ccieexpert 2024-07-25T21:13:18Z https://community.cisco.com/t5/network-security/fmc-admin-login-with-mfa/m-p/5167837#M1115498 <P>Here is one workaround. where would I do this in FMC?<BR /><BR /><SPAN>I modified the machine sending the SAML request to use the ForceAuthn=true option which forced all users accessing an authentication portal to authenticate every time without making changes to the conditional access policy.</SPAN></P> Thu, 29 Aug 2024 20:15:26 GMT https://community.cisco.com/t5/network-security/fmc-admin-login-with-mfa/m-p/5167837#M1115498 Danny Dulin 2024-08-29T20:15:26Z