09-23-2024 03:18 PM
Hi,
Wondering if anyone else has had this issue; We've used Sharefile with Duo for quite a while and it works great. Lately when I go to Sharefile, login is normal with domain creds, then MFA, all good. When I go back to Sharefile later in the day it never prompts me to enter my password again, just sends a push.
We have not changed our policy for Sharefile, we are not remembering device, or using Passwordless. I noticed the interface had changed for Sharefile so I opened up a ticket with them, but their support is less than stellar.
Posting here to see if anyone else has this, or it prompts everytime for them?
The only thing that changed was the look and feel on the Sharepoint side, and we do need it to prompt everytime.
Thanks
09-25-2024 07:14 AM - edited 09-25-2024 07:15 AM
I have no experience with Sharefile beyond using it to upload and download materials. However, from the description you gave it suggests that the issue is not on Duo side because you are not getting the credentials prompt in the first place, so it seems that Sharefile in the background is doing something different after the latest update. I would try to escalate it with Sharefile support team or through your account manager.
09-25-2024 08:08 AM
Do you have ShareFile federated with some IdP (Duo SSO, AD FS, Entra, etc.)?
>When I go back to Sharefile later in the day it never prompts me to enter my password again, just sends a push.
If you do use federated login this sounds like the IdP still has a valid SSO session for primary auth. It's typical for IdP sessions to last several hours (multiple IdPs I'm familiar with default to 8 hours), and the length is usually adjustable.
It would be odd for the IdP session length to spontaneously change.
If you aren't using federated login with ShareFile, then definitely it sounds like a change on ShareFile's side.
09-25-2024 08:11 AM
We do use Duo SSO for this, but it hasn't cached the creds in the past. Sharefile is of no help and I've changed all the settings on that side I can, but it still just sends me a push after I re-login even hours later. It did not do this before and we have been using it for years.
I guess there is nothing we can do about it...
Thanks
09-26-2024 05:55 AM
I've been interpreting " it still just sends me a push after I re-login even hours later." as:
That's how it should have been working all along, with the lifetime of the Duo SSO primary auth session determined by the session duration value if using AD as the authentication source, or by the next-hop SAML IdP if using another SAML service for the authentication source, as long as the cookie is present and valid.
https://help.duo.com/s/article/6478
What's your SSO session duration, and is SSO at least asking for password again after the session duration period elapses?
Is it possible that when you were seeing the primary login reprompt before the session duration lifetime expires you were doing something that would have removed the existing IdP session cookie? Completely closing the browser, switching clients (like going from a browser session to a client app session), something like that?
09-26-2024 08:55 AM
Strange, yes that makes sense and I guess I must have been doing as you stated, but it doesn't feel like it.
If this is expected behaviour I accept it and will turn down the session timeout.
Thank you
09-26-2024 11:45 AM
Be aware that the SSO session timeout for AD authentication source affects *all* of your federated apps. There's no way to set the IdP session lifetime per service provider app today.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide