Configuring Microsoft AD FS as Identity Provider

Set up your Identity Provider and then use these settings for the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. (see Identity Awareness).

Use Cases

• To prevent cyber-attacks, Check Point requires access to your third-party Identity Provider to retrieve and report identity of the users attacked.

• Administrators can enforce different sets of rules for different users and groups. After you integrate Identity Provider with Harmony Connect, you can select users and groups within the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

To configure Microsoft Active Directory Federation Services as an Identity Provider:

1. Connect to an Identity Provider in the Check Point Infinity Portal

   1. Log in to your Check Point Infinity Portal account. In the Settings tab, go to Identity Provider and click CONNECT NOW.

      The Identity Provider wizard opens.

      

   2. Select Microsoft Active Directory It is a Microsoft directory service that enables Administrators to manage permisssions and network resources. as your Identity Provider.

      

   3. Click Next.

2. Verify your domain

   1. On the Verify Domain page, enter your organization domain.

      Note - You need this step to ensure successful identification for all the users that belong to your organization and connected behind your branch offices. To learn more on the process, see Domain Verification.

   2. The DNS record is generated below.

      Click to copy this generated DNS record value.

      

   3. Enter this generated DNS record to your DNS server as a TXT record.

   4. Click Next on the Verify Domain page.

      Check Point makes a DNS query attempt to verify your domain configuration.

      Note - It may take some time until the DNS record is propagated and can be resolved.

3. Upload the Federation Metadata file

   1. Download the AD FS Federation Metadata file from:

      https://<your-domain>/FederationMetadata/2007-06/FederationMetadata.xml

   2. In the Configure Metadata page, upload the Federation Metadata XML that you downloaded from your AD FS.

      Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.

   3. Click Test your configuration to test your Identity Provider configuration.

      

   4. Enter the Identity Provider credentials. This tests the configuration and shows the result:

      Test passed:

      

      Test failed:

      

   5. Click Next. Check Point verifies the metadata of your Identity Provider

4. Allow Connectivity and Create Relying Party Trust in AD FS

   1. In the Allow Connectivity page, copy the Entity ID and the Reply URL.

   2. Open the AD FS Management Console.

   3. Navigate to AD FS > Trust Relationships > Relying Party Trusts.

      

   4. Right click to select Add Relaying Party Trust….

   5. The Add Relying Party Trust Wizard opens. Click Start.

   6. Select Enter data about the relying party manually, and click Next.

      

   7. Enter this information:

      • In Display name - Check Point Harmony Connect.

      • In Notes - This is the relying party trust for Check Point Harmony Connect.

        

   8. Click Next.

   9. Make sure that the AD FS profile is selected and click Next.

      

   10. In the Configure Certificate section, do not upload a token encryption certificate. Click Next.

       

   11. Select the checkbox Enable support for the SAML 2.0 WebSSO protocol.

   12. In the Service URL field, enter the Reply URL that you copied from the Check Point Infinity Portal.

       

   13. Click Next.

   14. In the Relying party trust identifier textbox, enter the Entity ID that you copied earlier from the Check Point Infinity Portal.

   15. Click Add and then click Next.

       

   16. In the next screen, make sure that the option I do not want to configure multi-factor authentication is selected, and click Next.

       

   17. Make sure that Permit all users to access this relying party is selected, and click Next.

       

   18. In the Ready to Add Trust section, click Next.

       

   19. Select the option Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, then click Close.

       

5. Set user and groups claims

   1. In the Edit Claim Rules for Check Point Harmony Connect panel > Issuance Transform Rules tab, click Add Rule....

      

   2. Set the Claim rule template drop-down menu to Send LDAP Attributes as Claims and click Next.

      

   3. Under Configure Claim Rule, enter these settings:

      • Claim rule name - LDAP - User Principal Name as Name ID

      • Attribute store - Active Directory

      • LDAP Attribute - User-Principal-Name

      • Outgoing Claim Type - Name ID

        

   4. Click Finish.

   5. Add another rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. with these settings:

      • Claim rule name - Groups Claim

      • Attribute store - Active Directory

      • LDAP Attribute - Token-Groups - Unqualified Names

      • Outgoing Claim Type - Group

        

   6. Click Finish.

   7. Add the next claims the same way:

      • First Name

        

      • Surname

        

      • Email

        

      • Group IDs

        

      • userId

        

   8. Make sure you have the claims and click OK.

      

   9. Restart the AD FS services or reboot the server to apply the configuration.

6. Confirm Identity Provider Integration

   1. Go back to the Check Point Harmony Connect Portal. In the Allow Connectivity page, click Next.

   2. In the Confirm Identity Provide page, click Add to complete the wizard.

The Identity Provider installation is ready. Follow the steps below to complete the integration of the AD FS Identification.

1. Enable Identity Awareness

   After you configure your Identity Provider and set the list of the excluded IP or network addresses (Optional), click Enable for Identity Awareness.

   Note - It may take several minutes to enable Identity Awareness. When the process is complete, the page status changes to Enabled, and a new notification appears on the Infinity Portal Notifications pane.

   To disable Identity Awareness, click Disable.

2. Bypass Authentication

   When you enable Identity Awareness, at any stage you can enter one or more IP addresses for Check Point to bypass. This means that the traffic from these IP addresses is not redirected to the Identity Provider Authentication page. This is useful for automatic devices such as printers, servers, or Internet of Things (IoT).

   You can add the bypass authentication in the Identity Awareness window. Go to Policy > Identity Awareness > Bypass authentication from these sources and click [+] to add the IP Addresses, then click Update.

   Note - It may take several minutes to update Identity Awareness. When the process is complete, the page status changes to Enabled, and a new notification appears on the Infinity Portal Notifications pane.

3. Enforce access control rules for specific users and groups

   To get policy enforcement for users and groups, add users and groups to the policy:

   • Adding users

     • In AD FS, open Active Directory Users and Computers. Select a user to watch its identifiers in the Account tab.

       

     • The Name must be the full user name.

     • The User Name must be in the format:<User logon name>@<domain>

       

   • Adding groups

     • In AD FS, open Active Directory Users and Computers.

     • The Name and the Group Identifier must be the same as they appear in the group name in Active Directory Users and Computers.

       

       

   • Installing policy