Configuring Okta as Identity Provider

Set up your Identity Provider and then use these settings for the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. (see Identity Awareness).

Use Cases

• To prevent cyber-attacks, Check Point requires access to your third-party Identity Provider to retrieve and report identity of the users attacked.

• Administrators can enforce different sets of rules for different users and groups. After you integrate Identity Provider with Harmony Connect, you can select users and groups within the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

To configure Okta as an Identity Provider:

1. Connect to an Identity Provider in the Check Point Infinity Portal

   1. Log in to your Check Point Infinity Portal account. In the Settings tab, go to Identity Provider and click CONNECT NOW.

      The Identity Provider wizard opens.

      

   2. Select Okta as your Identity Provider.

   3. Click Next.

2. Verify your domain

   1. On the Verify Domain page, enter your organization domain.

      Note - You need this step to ensure successful identification for all the users that belong to your organization and connected behind your branch offices. To learn more on the process, see Domain Verification.

   2. The DNS record is generated below.

      Click to copy this generated DNS record value.

      

   3. Enter this generated DNS record to your DNS server as a TXT record.

   4. Click Next on the Verify Domain page.

      Check Point makes a DNS query attempt to verify your domain configuration.

   Note - It may take some time until the DNS record is propagated and can be resolved.

3. Create an application in the Okta Portal

   1. Log in to your Okta Portal.

   2. Make sure the view is set to Classic UI (not Developer Console).

      

   3. Navigate to Applications and click Add Application.

      

   4. Click Create New App.

      

      The Create a New Application Integration panel opens.

   5. For Platform, select Web, and select SAML 2.0 for Sign on method. Click Create.

      

      You are now in Create SAML Integration.

   6. In General Settings, set the application name to Check Point Harmony Connect and click Next.

      

4. Allow connectivity

   1. In the Allow Connectivity page, copy the Entity ID and the Reply URL.

   2. Go back to the Okta Portal and edit the SAML settings:

      • Single sign on URL - Use the Reply URL.

      • Audience URI (SP Entity ID) - Use the Entity ID.

      • Name ID format - Set to EmailAddress.

      • Application username - Set to the Okta username.

        

5. Set user and group attributes

   1. In the same SAML settings page, set attribute statements:

      • Name - firstName

        Name format - unspecified

        Value - user.firstName

      • Name - lastName

        Name format - unspecified

        Value - user.lastName

      • Name - userId

        Name format - unspecified

        Value - user.id

   2. Set group attribute statement:

      Name - groups

      Name format - Basic

      Filter - Matches regex, value: .*

      

   3. Click Next.

   4. Click Finish.

6. Upload Federation Metadata file

   1. Create Metadata file (available in the Classic UI view only):

      1. Go to the Sign On tab.

      2. Click Identity Provider metadata.

         

      3. A new browser tab opens with XML inside. Save the page content as a new file named OktaMetaData.XML.

         

   2. After you create the metadata XML file in the Okta Portal, go to the Allow Connectivity page in the Check Point Infinity Portal and click Next.

   3. In the Configure Metadata page, upload the Federation Metadata XML that you created in your Okta Portal.

      Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.

   4. Click Test your configuration to test your Identity Provider configuration.

      

   5. Enter the Identity Provider credentials. This tests the configuration and shows the result:

      Test passed:

      

      Test failed:

      

   6. Click Next.

      Check Point verifies the metadata of your Identity Provider.

7. Set up Users and Groups Synchronization

   Set up permissions to allow selection of users and user groups from your Okta directory in the Harmony Connect Policy.

   1. In the Okta Portal, check your Okta domain. Usually, this name appears in the address bar and in your account name.

      

   2. Click the icon on the right to the Okta domain name to copy it.

   3. Paste the Okta domain name in the Okta Domain field on the Set Directory Integration page of the Identity Provider wizard.

   4. Back in the Okta Portal, navigate to Security > API > Tokens and click Create Token.

      

   5. In the window that opens, enter the token name and click Create Token.

      The window shows the Token Value that you must copy; otherwise, you can lose it.

   6. Click the icon on the right of the Token Value to copy it to the clipboard.

      

      Best Practice - Check Point recommends you save the Token Value in a separate file to retrieve it when it is required.

   7. In the Harmony Connect Identity Provider wizard, on the Set Directory Integration page, paste the Token Value into the API Token Value field.

      

   8. To test the users and group synchronization between the Infinity Portal and Identity Provider, click Start User and Group Sync Test.

      If the test fails, repeat step Set up users and groups synchronization to reconfigure the user and group synchronization parameters.

      

   9. Click Next.

8. Confirm Identity Provider Integration

   In the Confirm Identity Provider page, click Add to complete the wizard.

The Identity Provider installation is ready. Follow the steps below to complete the integration of the Okta Identification.

1. Enable Identity Awareness

   (Optional) When you configure your Identity Provider and set the list of the excluded IP or network addresses, click Enable Identity Awareness for remote users or Enable Identity Awareness for branch sites or both and click Apply Changes.

   Note - After the Identity Awareness update completes, a new notification appears on the Infinity Portal Notifications .

   To disable Identity Awareness, clear the selection.

2. Bypass Authentication

   When you enable Identity Awareness, you can enter one or more IP addresses for Check Point to bypass. The traffic from these IP addresses is not redirected to the Identity Provider authentication page. Use this for devices such as printers, servers, or Internet of Things (IoT).

   To add the bypass authentication in the Identity Awareness window:

   1. Go to Policy > Identity Awareness > Bypass authentication from these sources.

   2. Enter the IP address and click [+] to add it.

   3. Click Update.

   Note - After the Identity Awareness update completes, a new notification appears on the Infinity Portal Notifications .

3. Enforce access control rules for specific users and groups

   To get policy enforcement for users and groups, add users and groups to the policy:

   • Adding users

   • Adding groups

   • Installing policy