cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
353
Views
0
Helpful
6
Replies

Sharefile now not prompting for Password on second login

bjames
Level 5
Level 5

Hi,

 

Wondering if anyone else has had this issue; We've used Sharefile with Duo for quite a while and it works great. Lately when I go to Sharefile, login is normal with domain creds, then MFA, all good. When I go back to Sharefile later in the day it never prompts me to enter my password again, just sends a push.

We have not changed our policy for Sharefile, we are not remembering device, or using Passwordless. I noticed the interface had changed for Sharefile so I opened up a ticket with them, but their support is less than stellar.

Posting here to see if anyone else has this, or it prompts everytime for them?

The only thing that changed was the look and feel on the Sharepoint side, and we do need it to prompt everytime.

 

Thanks

6 Replies 6

I have no experience with Sharefile beyond using it to upload and download materials. However, from the description you gave it suggests that the issue is not on Duo side because you are not getting the credentials prompt in the first place, so it seems that Sharefile in the background is doing something different after the latest update. I would try to escalate it with Sharefile support team or through your account manager.

DuoKristina
Cisco Employee
Cisco Employee

Do you have ShareFile federated with some IdP (Duo SSO, AD FS, Entra, etc.)?

>When I go back to Sharefile later in the day it never prompts me to enter my password again, just sends a push.

If you do use federated login this sounds like the IdP still has a valid SSO session for primary auth. It's typical for IdP sessions to last several hours (multiple IdPs I'm familiar with default to 8 hours), and the length is usually adjustable.

It would be odd for the IdP session length to spontaneously change.

If you aren't using federated login with ShareFile, then definitely it sounds like a change on ShareFile's side.

Duo, not DUO.

We do use Duo SSO for this, but it hasn't cached the creds in the past. Sharefile is of no help and I've changed all the settings on that side I can, but it still just sends me a push after I re-login even hours later. It did not do this before and we have been using it for years.

I guess there is nothing we can do about it...

 

Thanks

I've been interpreting " it still just sends me a push after I re-login even hours later." as:

  1. You go to ShareFile.
  2. You get the Duo SSO primary login screen to enter a username and password.
  3. You get the Duo MFA prompt which automatically selects push auth.
  4. You approve the Duo Push and get redirected back to ShareFile as a logged-in user. The SSO session cookie gets created with the lifetime/expiration set by the IdP.
  5. Some amount of time later, in the same browser session (could be a new windows or tab in the session, but you did not completely close all browser processes in the intervening hours), you access ShareFile again.
  6. You get redirected back to Duo SSO, but are not prompted to enter primary creds again.
  7. You do get prompted for Duo MFA again, in the form of a push request.
  8. You approve and get redirected back to ShareFile as a logged-in user again.

That's how it should have been working all along, with the lifetime of the Duo SSO primary auth session determined by the session duration value if using AD as the authentication source, or by the next-hop SAML IdP if using another SAML service for the authentication source, as long as the cookie is present and valid.

https://help.duo.com/s/article/6478 

What's your SSO session duration, and is SSO at least asking for password again after the session duration period elapses?

Is it possible that when you were seeing the primary login reprompt before the session duration lifetime expires you were doing something that would have removed the existing IdP session cookie? Completely closing the browser, switching clients (like going from a browser session to a client app session), something like that?

Duo, not DUO.

bjames
Level 5
Level 5

Strange, yes that makes sense and I guess I must have been doing as you stated, but it doesn't feel like it.

If this is expected behaviour I accept it and will turn down the session timeout.

Thank you

Be aware that the SSO session timeout for AD authentication source affects *all* of your federated apps. There's no way to set the IdP session lifetime per service provider app today.

Duo, not DUO.
Quick Links