Vault triggering spurious MFA push - Web Browser rebinding LDAP?

We are using LDAP for authentication. Our LDAP is set up with an MFA proxy w/ push. We notice we get a lot of denied pushes marked as fraudulent by users that are originating from Vault. The behavior is as follows: user logs into Vault in their web browser; 10-15 minutes later they click another link on the site; the site loads without prompting them to login again, but they get a push on their phone. Even if they deny the push their browser session with Vault is not interrupted until it fully times out hours later.

So, it seems the browser is rebinding to LDAP. Is there a way we can change our Vault config so this doesn’t happen?

I had no idea Vault did this until your question inspired me to have a look at the source code… but it seems that the Vault LDAP auth method internally remembers the user’s password, and repeats the LDAP bind operation to check the account is still valid, and whether the user has gained or lost group memberships, each time the Vault token is renewed.

And, the Vault web UI periodically renews the token it is using.

Unfortunately I’m not aware of any way to turn this behaviour off.