AnyConnect and SSO - not requiring user to re-auth

Scott jones 15222 · ‎09-19-2023

Bumping into a bit of an odd issue...I've got SAML/SSO configured on an ASA and working. Issue though is it isn't forcing users to re-auth after X minutes/hours. In Workspace, the timeout is set and we've seen other apps force us to log back in, but not AnyConnect. Any ideas? Force re-authentication is enabled already.

Milos_Jovanovic · ‎09-26-2023

Hi @Scott jones 15222,

Re-authentication can only be forced while authenticating, not once authenticated. E.g. if you configure re-authentication every 8 hours, if someone connected to VPN now (counter has just started), then reconnected after 7h45m, there will be no authentication, as SSO is not requesting it. For as long as they remain connected, they will not be prompted to authenticate again, because no authentication process is happening, regardless 8h has passed since initial login. Once reconnected, it should be authenticated again. However, this process is now being controlled by SSO side - your SSO provider dictates how often token is valid, and when to request full authentication again. On Azure, it is called Conditional Access Policy (not sure about other vendors).

Option "force re-authentication" is used to force user not to use previous token, but rather to request new one, which again is happening only upon initial connection (not periodically or in between interval).

What I usually do in this case is to set idle and absolute timeout on VPN session, plus periodic re-authentication request on SSO side. This way, we can guarantee that re-authentication will happen, in best case, as per re-authentication interval from SSO, and in worst case, in absolute timeout + re-authentication interval from SSO - few minutes (if someone deliberately disconnect and reconnect just before end of one timer).

Kind regards,

Milos