OneLogin

Use these steps to configure the SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. authentication with OneLogin.

Prerequisite

  • Permissions to your company's DNS server if you select login-based domain verification as the integration type.

  1. In the Check Point Portal, go to > Identity & Access and click the plus icon.

  2. Enter a name for the Integration Title and select OneLogin.

  3. Click Next.

In this step of the IdP Integration Wizard, you can configure SSO authentication for Check Point Portal administrators and for end users of Check Point services.

  1. Select Enable Administrators to log in to the portal using this IdP.

  2. Select one of these options:

  1. In the Service(s) Integration section, select one of these options:

    • No Services - End users of Check Point Portal services cannot authenticate with SSO from the Identity Provider. This is the default configuration.

    • All Services - End users can log in with SSO from the Identity Provider to all Check Point services that support SSO.

    • Specific Service(s) - From the list of services, select service(s) to allow end users to log in with SSO from the Identity Provider. Available services:

      • Connect

      • Quantum Gateways

  2. Click Next (or, if you are editing a configuration, Apply) to complete the Integration Type configuration.

Note - If you selected Login with a unique URL for Integration Type, the Verify Domain step is not necessary.

  1. Connect to your DNS server.

  2. Copy the DNS Value from the Check Point Portal IdP Integration wizard > Verify Domain step.

  3. On your DNS server, enter the Value as a TXT record.

  4. In the Check Point Portal > Domain(s) section, enter a public DNS domain server name and click the plus icon.

    Check Point makes a DNS query to verify your domain's configuration.

  5. Optional - add more DNS domain servers.

  6. Click Next.

    Note - Wait until the DNS record propagates and becomes resolvable.

  1. Log in to your OneLogin account and select Administration to set to admin mode.

  2. Below the Applications tab, select Application and click Add App.

  3. In the search box, select one of these:

    • SAML Test Connector (Advanced) - If you do not want to configure Directory Integration, or if you want to configure Directory Integration - Manual Sync

    • SCIM Provisioner with SAML (SCIM v2 Core) - If you want to configure Directory Integration - SCIM (Automatic Sync)

    For information about Directory Integration to help you choose, see Directory Integration.

  4. In the info tab, enter:

    Display Name - Check Point Portal.

  5. Click Save.

  1. On the Allow Connectivity page, copy the Entity ID and the Reply URL.

  2. Complete the Settings for the OneLogin application. Go to the Configuration tab and enter this information:

    • Audience (EntityID) - The Entity ID you copied in the Check Point Portal

    • ACS (Consumer) URL* - The Reply URL you copied in the Check Point Portal

    • ACS (Consumer) URL Validator* - The Reply URL domain with backslashes. For example, https:\/\/cloudinfra-gw.portal.checkpoint.com\/

  3. Click Save.

  4. Go to the Check Point Portal. On the Allow Connectivity page, click Next.

IdP Initiated lets you connect directly to Check Point Portal from your OneLogin Admin Console. To do this, you must create a Check Point Portal app card in your OneLogin Admin Console. See the OneLogin documentation.

Step 1: In Check Point Portal, enable IdP Initiated flow:

  1. In the Check Point Portal > IdP Integration Allow Connectivity step, select the checkbox Enable IDP initiated flow.

    The Relay State field appears.

Step 2: In your OneLogin account, configure the IdP Settings:

  1. Navigate to your OneLogin Admin Console.

  2. Click Applications.

  3. Open the application object for the SAMLClosed Security Assertion Markup Language. An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. connection to Check Point Portal.

  4. From the left toolbar, click Configuration.

  5. In the Relay State field, enter the Relay State from Check Point Portal

  6. Click Save.

Important - Before you can test the connectivity between OneLogin and the Check Point Portal, you must complete all of the IdP integration steps in the Check Point Portal.

  1. In the OneLogin Portal, go to the Parameters tab and click Add parameter (+) to enter each value.

    • Field Name - groups

      1. Select Include in SAML assertion.

      2. Click Save.

      3. Value - User Roles

      4. Click Save.

    • Field Name - firstName

      1. Select Include in SAML assertion.

      2. Click Save.

      3. Value - First Name

      4. Click Save.

    • Field Name - lastName.

      1. Select Include in SAML assertion.

      2. Click Save.

      3. Value - Last Name.

      4. Click Save.

    • Field Name - email

      1. Select Include in SAML assertion.

      2. Click Save.

      3. Value - Email

      4. Click Save.

    • Field Name - userId

      1. Select Include in SAML assertion.

      2. Click Save.

      3. Value - Id

      4. Click Save.

  2. Click Save

  1. Go to Users > Roles and click New Role to create user roles (groups).

  2. Enter the role name and click Save.

  3. Click the newly created role to edit:

    1. In the Applications tab, click (+) and add Check Point Portal application. Click Save.

    2. Go to the Users tab to add users.

      In Check existing or add new users to this role, search for applicable users by their names and click Check.

  4. For each selected user, click Add To Role.

  5. The users show in Users Added Manually.

  6. Click Save.

  7. Go to the Check Point Portal application and make sure the users are added.

    Note - Copy the name of the assigned group for use with the Check Point Portal User group IdP ID field.

  1. On the Configure Metadata page, download the Federation Metadata XML from the OneLogin Portal:

    1. In your application, go to the Configuration tab and select More Actions > SAML Metadata.

      The file downloads.

    2. Upload the file to the Configure Metadata page in the Identity Provider Wizard.

      Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.

  2. Click Run Test.

    Check Point verifies the metadata of your Identity Provider.

  3. Click Next.

Directory Integration gets information about users and groups for the services you selected in the Integration Type step > Service(s) Integration section.

Directory Integration does not apply to Users and User Groups in the Check Point Portal.

Important - After you create a Directory Integration, you cannot change it. To create a different Directory Integration, you must create a new Identity Provider (IdP) Integration.

For the Check Point Portal, this feature is optional. To use OneLogin for SSO authentication only, select the checkbox I want to skip this step and use this IdP for SSO authentication only.

You can manage user identity data with Manual API Sync or with System for Cross-Domain Identity Management (SCIM).

Directory Integration Method

How it Works

Which Users and Groups are Synced

Manual Sync

Allows Check Point services to query for any change in OneLogin users and groups. The Check Point Portal pulls users and groups from OneLogin.

All users and groups in OneLogin.

Nested groups in OneLogin are supported.

SCIM

Allows OneLogin to push any change in the user and group directory to Check Point services.

Only users and groups in OneLogin that are assigned to the SCIM connection you created from OneLogin to the Check Point Portal.

 

Important - After you delete a group in OneLogin, OneLogin continues to sync users from that group to the Check Point Portal using SCIM. To prevent this, we recommend to remove all users from a group in OneLogin before you delete it.

Some Check Point services may need a permanent user ID (SID) from your directory. This ID lets the service reliably identify each employee and keep their access and permissions accurate, even when their profile changes.

  1. In OneLogin, log in to your admin account.

  2. From the menu bar, click Developers > API Credentials.

    The API Access page opens.

  3. Click New Credential.

    The Create new API credential window opens.

  4. Enter a name for the new API credential.

  5. Select Read all.

  6. Click Save.

    A window with the client credentials opens.

  7. Copy these values to a separate file:

    • Client ID

    • Client Secret

    Best Practice - Check Point recommends that you save the Token Value in a separate, secure file to retrieve it when required.

  8. Navigate to Users > Custom User Fields to create a new custom attribute On-premises security identifier:

    1. Click New.

    2. Enter on_prem_sid for Name and Shortname.

    3. Click Save.

  9. Navigate to User > Directories to configure mappings:

    1. Select the directory.

    2. Click Directory Attributes > Add Attribute.

    3. Map objectSID to on_prem_sid and click Save.

    4. To test the mapping, go to Users and select an AD user. The SID data appears under Custom fields.

  10. In the Check Point Portal IdP wizard, do these steps:

    1. Go to the Set Directory Integration page.

    2. In the Client ID field, paste the Client ID you copied from OneLogin.

    3. In the Client Secret field, paste the Client Secret you copied from OneLogin.

    4. In the Sub Domain field, paste the part of the URL for your OneLogin account that comes before ".onelogin.com".

      Example: the Sub Domain for "theGreatCompany.onelogin.com" is "theGreatCompany".

  11. To test the users and group synchronization between the Check Point Portal and the IdP, click Test Connectivity.

    If the test is unsuccessful, repeat the Set Directory Integration step to configure the user and group synchronization parameters.

  12. Click Next.

Note - SCIM is supported only for the OneLogin application type SCIM Provisioner with SAML (SCIM v2 Core).

Step 1 - In the Check Point Portal, copy values and complete the IdP Integration Wizard:

  1. In the Check Point Portal > Directory Integration step, select Automatic Sync (SCIM).

  2. Copy these values and keep them in a safe place:

    • SCIM API Token

    • URL

  3. Click Next.

    The Confirm Identity Provider step opens.

  4. Click Submit.

    OneLogin is now integrated with the Check Point Portal. The OneLogin integration appears in the gallery in the Check Point Portal. Complete the SCIM (Automatic Sync) configuration in the OneLogin Portal.

Step 2 - In the OneLogin Application > Configuration section, paste values:

  1. In the OneLogin application you created for the Check Point Portal, from the left menu, click Configuration.

  2. In the SCIM Base URL field in the OneLogin Portal, paste the URL you copied from the Check Point Portal.

  3. In the SCIM Bearer Token field in the OneLogin Portal, paste the SCIM API Token you copied from the Check Point Portal.

  4. In the Custom Headers field, enter:

    Copy
    Value for OneLogin Portal > "Custom Headers" field
    Content-Type: application/scim+json

  5. In the API Connection section, below API Status, click Enabled.

  6. In the SCIM JSON Template field, enter:

    Copy
    Value for OneLogin Portal > "SCIM JSON Template" field
    {
        "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
         ],
        "userName": "{$parameters.scimusername}",
        "displayName": "{$user.display_name}",
        "externalId": "{$user.id}",
        "phoneNumbers":    [{
            "value": "{$parameters.phone}",
            "type": "work",
            "primary": true
        }]
    }

  7. Click Save.

Step 3: In the OneLogin Application, configure parameters:

  1. In the OneLogin application you created for the Check Point Portal, from the left menu, click Parameters.

  2. In the Credentials are section, make sure that Configured by admin is selected. This option is selected by default.

  3. In the table, click the + button.

    The New Field window opens.

  4. For Field name, enter phone.

  5. Press Enter on the keyboard.

  6. For Value, select phone.

  7. In the Flags section, select Include in User Provisioning.

  8. Click Save.

    The window closes. The phone parameter appears in the table.

  9. In the table, click the Groups table row.

    The Edit Field Groups window opens.

  10. Select Include in User Provisioning.

  11. Click Save.

    The window closes.

  12. Click Save.

Step 4: In the OneLogin Application, create rules:

  1. In the OneLogin application you created for the Check Point Portal, from the left menu, click Rules.

  2. Click Add Rule.

    The New mapping window opens.

  3. For Name, enter roles.

  4. In the Actions section, select Set Groups in [NAME OF YOUR APPLICATION].

  5. Create a rule to assign OneLogin roles to the application. To assign all OneLogin roles to the application, create this rule:

    For each role with value that matches .*

  6. Click Save.

    The window closes.

Step 5: In the OneLogin Application, enable provisioning:

  1. In the OneLogin application you created for the Check Point Portal, from the left menu, click Provisioning.

  2. In the Workflow selection, select Enable provisioning.

  3. Click Save.

Step 6: In the OneLogin Portal, add users to the application:

You must add OneLogin users individually to the application you created for the Check Point Portal.

  1. In the OneLogin Portal, from the top menu, click Users.

  2. Select a user.

  3. From the left menu, open the Applications tab.

  4. Click the + icon.

    The Assign new login to [NAME OF THE USER] window opens.

  5. Select the application you created for the Check Point Portal.

  6. Click Continue.

  7. From the top menu, select Users > Provisioning.

  8. In the table, click the provisioning task for the user that you added.

    A window opens.

  9. Click Approve.

    The window closes.

Review the details of the SSO configuration and click Submit.

Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups.