Configuring Ping Identity as Identity Provider

Set up your Identity Provider and then use these settings for the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. (see Identity Awareness).

Use Cases

To configure Ping Identity as your Identity Provider:

    1. Log in to your Check Point Infinity Portal account. In the Settings tab, go to Identity Provider and click CONNECT NOW.

      The Identity Provider wizard opens.

    2. Select Ping Identity as your Identity Provider.

    3. Click Next.

    1. On the Verify Domain page, enter your organization domain.

      Note - You need this step to ensure successful identification for all the users that belong to your organization and connected behind your branch offices. To learn more on the process, see Domain Verification.

    2. The DNS record is generated below.

      Click to copy this generated DNS record value.

    3. Enter this generated DNS record to your DNS server as a TXT record.

    4. Click Next on the Verify Domain page.

      Check Point makes a DNS query attempt to verify your domain configuration.

      Note - It may take some time until the DNS record is propagated and can be resolved.

  3. First, create a new environment in the Ping Identity Portal.

    1. Log in to your Ping Identity Portal.

    2. Go to the Home page and click Add Environment.

    3. Select Customer solution and click Next.

    4. Make sure PingOne for Customers is available. Click Next.

    5. Enter all relevant information in the form.

    6. Click Finish. Ping Identity redirects you to the Home page.

    In the new environment, create a web application.

    1. Navigate to Connections > Applications and click Add Application.

    2. Click WEB APP, then select SAML and click Configure.

    3. A new Create App Profile page opens.

    4. Enter the application details. For example, set the application name to Check Point Harmony Connect.

    5. Click Next. The Configure SAML Connection page opens.

    6. Under Provide Meta Data, select Manually Enter.

    1. Back in the Infinity Portal Harmony Connect, on the Allow Connectivity page, copy the Entity ID and the Reply URL.

    2. Go back to the Ping Identity Portal and Configure SAML Connection:

      • ACS URLS - Use the Reply URL.

      • Signing - Set to Sign Response.

      • Entity ID

      • Assertion Validity Duration - Set to 3600.

    3. Click Save and Continue.

    4. In the Map Attributes page, define SAML attributes. The User ID attribute = saml_subject appears by default. Change User ID to Email Address.

    5. Click Add Attribute and select PingOneAttribute to add a new attribute.

    6. Select Population ID for User Attribute and enter groups for Application Attribute. Select the Required option.

    7. Click Add Attribute and select PingOneAttribute to add one more attribute.

    8. Select Group Names for User Attribute and enter memberOf for Application Attribute. Select the Required option.

    9. Click Save and Close.

    10. Ping Identity redirects you to the Applications page. In your newly created application, go to the Configuration tab and click Download under Connection Details > Download Metadata.

    11. Download the SAML Metadata file to your computer.

    1. In the Infinity Portal, Identity Provider Wizard > Configure Metadata page, upload the Federation Metadata XML that you downloaded from the Ping Identity Portal.

      Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.

    2. Click Test your configuration to test your Identity Provider configuration.

    3. Enter the Identity Provider credentials. This tests the configuration and shows the result:

      Test passed:

      Test failed:

    4. Click Next. Check Point verifies the metadata of your Identity Provider.

  6. First, you create a Worker application. Then you can set up permissions for users and groups.

    The worker application helps you set user and group automatic synchronization. Therefore, the request to create a new worker application should be at the section “set up user and group synchronization.”

    1. In the Ping Identity Portal, go to Applications and click Add Application.

    2. In the New Application page, select Worker and click Configure.

    3. In the Create App Profile page, enter the application name and description, then click Save and Continue.

    4. In the Attribute Mapping page, click Save and Close.

    Set up permissions to allow selection of users and user groups from your Ping Identity at Harmony Connect Policy.

    1. On the Applications page of the Ping Identity portal, select the Worker application, open the Configuration tab, scroll down and make sure that Grant Type is set to Client Credentials. Under Token Endpoint Authentication Method, select Client Secret Post.

    2. Click Save.

    3. On the Applications page, toggle the slider for each of two applications to enable the User Access.

    4. In the Infinity Portal, Identity Provider Wizard > Set Directory Integration page, fill in the required fields:

      • Environment ID - In Ping Identity Portal, go to Dashboard > Environment Properties and copy the value of Environment ID.

      • Region - In Ping Identity Portal, go to Dashboard > Environment Properties and check the region. In the Wizard, enter EU for Europe, COM for the United States, and ASIA for Asia Pacific.

      • Client ID and Shared Secret - In Ping Identity Portal, go to Connections > Applications and open your Worker application. Open the Configuration tab and copy two values: Client ID and Client Secret.

        • Verify that all fields in Directory Integration are correct.

    5. To test the users and group synchronization between the Infinity Portal and Identity Provider, click Start User and Group Sync Test.

      If the test fails, repeat step Set up users and groups synchronization to reconfigure the user and group synchronization parameters.

    6. Click Next.

  7. In the Confirm Identity Provider page, check all the details and click Add Identity Provider to complete the wizard.

The Identity Provider installation is ready. Follow the steps below to complete the integration of the Ping Identity Identification.

  1. (Optional) When you configure your Identity Provider and set the list of the excluded IP or network addresses, click Enable Identity Awareness for remote users or Enable Identity Awareness for branch sites or both and click Apply Changes.

    Note - After the Identity Awareness update completes, a new notification appears on the Infinity Portal Notifications .

    To disable Identity Awareness, clear the selection.

  2. When you enable Identity Awareness, you can enter one or more IP addresses for Check Point to bypass. The traffic from these IP addresses is not redirected to the Identity Provider authentication page. Use this for devices such as printers, servers, or Internet of Things (IoT).

    To add the bypass authentication in the Identity Awareness window:

    1. Go to Policy > Identity Awareness > Bypass authentication from these sources.

    2. Enter the IP address and click [+] to add it.

    3. Click Update.

    Note - After the Identity Awareness update completes, a new notification appears on the Infinity Portal Notifications .

  3. To get policy enforcement for users and groups, add users and groups to the policy: