Limitations of Mobile VPN with SSL SAML Authentication (Entra ID)

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

When you configure the Mobile VPN with SSL client to use SAML authentication with Microsoft Entra ID, the client uses an embedded WebView session for authentication. Because authentication occurs in an isolated session, some browser-based capabilities do not apply.

Symptoms

When users authenticate with Entra ID, they might notice these behaviors:

  • Users must authenticate each time they connect to the VPN.
  • The Mobile VPN with SSL client does not use the system browser for authentication.
  • Single sign-on (SSO) behavior differs from browser-based applications.
  • Session persistence features, such as the Microsoft Entra Keep Me Signed In feature, do not work as expected.

Mobile VPN SSL and Entra ID SAML Limitations

The Mobile VPN with SSL client does not support browser or OS-based SSO features such as Primary Refresh Token or existing Entra ID sessions. Session persistence features are limited because the Mobile VPN with SSL client does not maintain a persistent session state. For example, Conditional Access policies such as multi-factor authentication (MFA) apply during authentication, but persistent session conditions do not apply to the Mobile VPN with SSL client. Additionally, the Keep Me Signed In feature does not work as expected.

For more information about these Entra ID features, go to the Microsoft documentation:

Related Topics

Microsoft Entra ID SAML Authentication with Firebox Mobile VPN with SSL Integration Guide

Troubleshoot Mobile VPN with SSL

About Mobile VPN with SSL