Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
85 questions
Application Proxy - Periodic Logout / Reauthentication required
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 25%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Schmidtbauer, Nico
0
Reputation points
Hello everyone,
we recently utilized Application Proxy to publish 4 applications to a partner company which has no physical network link to our Onprem Environment. All 4 applications use SAML authentication with an repective Application Registration in Entra to allow users to sign in with their Entra ID account.
Now the Application Proxy(s) came on top which is registered as separate "Enterprise Application" and are configured with Pre Authentication to Microsoft Entra ID, as we want to utilize conditional access to secure who's being able to externally access the app under which conditions.
In all of the applications we have the following behavior:
- The external user visits the URL, and gets prompted to Authenticate (App Proxy preauthentication)
- Now he's presented the application specific login site, where he choses SAML / Azure Authentication and logs in again (App Specific authentication)
- The user uses the application, and suddenly within a time range of about 1-2 hours, the user is prompted to authenticate again in Entra. Potential background scripts on the site fail, as they all are redirected to login.microsoft.com
This behavior does NOT appear:
- If the application is used network internally without the application proxy (but with Entra Authentication internally in the application!)
- If the user accesses it externally, but instead of using Entra Authentication within the application but an app internal user (app specific form based authentication, and app internal user).
So it seems to me this only happens when the user has to authenticate twice, once via App Proxy and another time via the app internal SAML / Oauth Authentication.
I already tried to apply a token lifetime policy of 8 hours, but this had no effect.
I already thought that it might be an issue with the 2nd Entra Authentication somehow overwriting the cookie refresh of the AppProxyAuthentication or something like that and thought it might be possible to use the same Entra ID Application for App Proxy and Authentication, but one of this apps for example is an SPA. I only get the App Internal Entra authentication to Work if I configure the redirect URI as SPA, but then App Proxy does not work because it needs the redirect URI configured as "Web". And having both active for the same Redirect URI does not work. Also this App has no method of configuring SSO via AppProxy.
I'm a bit stuck here and desperatly search for a solution on how we get rid of that constant logouts (which occur even if the user is actively using the apps... so... mid work).
Sign in to answer