Configure SSO JIT Provisioning with ADFS
With JIT provisioning, users log in to ADFS with their ADFS credentials and select to log in to CloudGuard configured as an SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. application. SAML authenticates the credentials and transfers them to CloudGuard to create users based on their email address and AD group membership that are mapped to the existing CloudGuard roles.
Configuring Active Directory
To map dynamically AD groups to CloudGuard roles, create AD groups with CloudGuard or other relevant prefix (for example, CG-Admins, CG-Users). Add users to these AD groups. Check Point recommends to add a user to only one CloudGuard AD group.
-
Create an Active Directory security group for JIT provisioning to CloudGuard (for example, CG-jit-auditors) in your domain environment. Add to the group the domain users who have to log into CloudGuard.
-
Add users to the group.
Configuring ADFS
On the ADFS side, ensure that you have a working ADFS configuration. For this, log into the main page
https://<server.domain.com>/adfs/ls/idpinitiatedsignon.htm
where <server.domain.com> is your ADFS WAP server. If you need a valid SSL certificate, you can get one for free from Let’s Encrypt.
Then you need to add CloudGuard as a Relying Party Trust to be a consumer of the ID provider.
-
In ADFS, add a new Relying Party Trust with Claims aware option and follow the steps in the Relying Party Trust Wizard.
-
Copy the Service Provider Metadata XML text and save it. Replace <your-company-name> to match the Account ID string that you configure in step 3(a) below in Configuring CloudGuard. If necessary, update the property values of validUntil and cacheDuration.
XML Template for Service Provider Metadata:
Copy<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2025-09-03T06:43:37Z" cacheDuration="PT604800S" entityID="https://secure.dome9.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://secure.dome9.com/sso/saml/<your-company-name>" index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor> -
On the Select Data Source page, import data from the Service Provider Metadata XML file created above.
-
On the Specify Display Name page, in the Display name field, enter CloudGuard.
-
Click Next on each screen until the end of the Wizard.
-
From the Actions panel, select Edit Claim Issuance Policy.
-
Click Add Rule and edit the Get Email rule as the picture shows.
-
Click OK.
-
Click Add Rule to create another rule.
-
Set the rule name to Convert Email to NameID and edit the rule.
-
Select Transform an Incoming Claim and click Next. Set these fields:
-
Incoming claim type - E-Mail Address
-
Outgoing claim type - Name ID.
-
Outgoing name ID format - Email.
-
-
Click OK. You have two rules:
-
Click Apply.
Configuring CloudGuard
When you continue in CloudGuard, log in with your super user credentials.
-
In CloudGuard, navigate to the Security & Authentication page in the Settings menu.
-
In the SSO section, click Edit. The SSO Configuration window opens.
-
Complete the SSO Configuration form with these details:
-
Account ID - Use the Account ID from the XML file above.
-
Issuer - Set to http://<your.server.com>/adfs/services/trust
-
Idp endpoint url - Set to http://<your.server.com>/adfs/ls
-
X.509 Certificate - Paste from your PFX file, including the
--BEGIN CERTIFICATE--
and---END CERTIFICATE---
text. This is the certificate from your ADFS web server.
-
-
Check Allow for Just-in-time provisioning for the account, and leave Attribute name in SAML for just-in-time role as memberOf.
-
Click Save.
Testing ADFS Single Sign-On
-
Log in to the ADFS sign-in page with AD credentials and click Sign in to one of the following sites - CloudGuard or other Display Name.
-
Click Sign in. This action logs you into CloudGuard as a JIT user, matching the AD group to a role with the same name in CloudGuard.
-
Check the System Audit Trail to see the JIT event: