Configuring OneLogin as Identity Provider

Set up your Identity Provider and then use these settings for the Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. (see Identity Awareness).

Use Cases

• To prevent cyber-attacks, Check Point requires access to your third-party Identity Provider to retrieve and report identity of the users attacked.

• Administrators can enforce different sets of rules for different users and groups. After you integrate Identity Provider with Harmony Connect, you can select users and groups within the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

To configure OneLogin as an Identity Provider:

1. Connect to an Identity Provider in the Check Point Infinity Portal

   1. Log in to your Check Point Infinity Portal account. In the Settings tab, go to Identity Provider and click CONNECT NOW.

      The Add Identity Provider wizard opens.

      

   2. Select OneLogin as your Identity Provider.

   

   3. Click Next.

2. Verify your domain

   1. On the Verify Domain page, enter your organization domain.

      Note - You need this step to ensure successful identification for all the users that belong to your organization and connected behind your branch offices. To learn more on the process, see Domain Verification.

   2. The DNS record is generated below.

      Click to copy this generated DNS record value.

      

   3. Enter this generated DNS record to your DNS server as a TXT record.

   4. Click Next on the Verify Domain page.

      Check Point makes a DNS query attempt to verify your domain configuration.

   Note - It may take some time until the DNS record is propagated and can be resolved.

3. Create an application in the OneLogin Portal

   1. Log in to your OneLogin account and select Administration to switch to admin mode.

   2. Under the Applications tab, select Application and click Add App.

      

   3. In the search box, search for SAML Test Connector (Advanced), and select it.

      

   4. In the info tab, enter:

      Display Name - Check Point Harmony Connect

   5. Click Save.

4. Upload the Federation Metadata file

   1. In the Configure Metadata page, download the Federation Metadata XML from the OneLogin Portal:

      1. Inside your application, go to the Configuration tab > More Actions > SAML Metadata.

         

      2. The file downloads.

      3. Upload the file to the Configure Metadata page in the Identity Provider Wizard

         Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.

   2. Click Next.

      Check Point verifies the metadata of your Identity Provider.

5. Allow connectivity

   1. In the Allow Connectivity page, copy the Entity ID and the Reply URL.

   2. Complete the Settings for the OneLogin application. Go to the Configuration tab and enter this information:

      • Audience (EntityID) - The Entity ID you copied previously in the Check Point Infinity Portal.

      • ACS (Consumer) URL* - The Reply URL you copied previously in the Check Point Infinity Portal.

      • ACS (Consumer) URL Validator* - The Reply URL domain with backslashes. For example, https:\/\/cloudinfra-gw.portal.checkpoint.com\/

   3. Click Save.

      

   4. Click Test your configuration to test your Identity Provider configuration.

      

   5. Enter the Identity Provider credentials. This tests the configuration and shows the result:

      Test passed:

      

      Test failed:

      

   6. Go back to the Check Point Harmony Connect Portal. In the Allow Connectivity page, click Next.

6. Set user and group claims

   1. In the OneLogin Portal, go to the Parameters tab, and click Add parameter (+) to enter each value.

      • Filed Name - groups.

        1. Select Include in SAML assertion.

        2. Click Save.

        3. Value - User Roles.

        4. Click Save.

      • Filed Name - firstName.

        1. Select Include in SAML assertion.

        2. Click Save.

        3. Value - First Name.

        4. Click Save.

      • Filed Name - lastName.

        1. Select Include in SAML assertion.

        2. Click Save.

        3. Value - Last Name.

        4. Click Save.

      • Filed Name - userName.

        1. Select Include in SAML assertion.

        2. Click Save.

        3. Value - UserName.

        4. Click Save.

      • Filed Name - email.

        1. Select Include in SAML assertion.

        2. Click Save.

        3. Value - Email.

        4. Click Save.

      • Filed Name - userID.

        1. Select Include in SAML assertion.

        2. Click Save.

        3. Value - OneLogin ID.

        4. Click Save.

   2. Click Save.

      

7. Select relevant users and groups

   1. Go to Users > Roles, and click New Role to create user roles (groups).

      

   2. Enter the role name and click Save.

      

   3. Click the new created role to edit:

      1. In the Applications tab, click (+), and add Check PointHarmony Connect application. Click Save.

         

      2. Go to the Users tab to add users.

         In Check existing or add new users to this role, search for relevant users by their names, and click Check.

         

   1. For each selected user, click Add To Role.

   2. The users should appear in Users Added Manually.

      

   3. Click Save.

   4. Go back to the Check Point Harmony Connect application and make sure the users are added.

      

8. Confirm Identity Provider Integration

   In the Confirm Identity Provider page, click Add to complete the wizard.

The Identity Provider installation is ready. Follow the steps below to complete the integration of the OneLogin Identification.

1. Enable Identity Awareness

   (Optional) When you configure your Identity Provider and set the list of the excluded IP or network addresses, click Enable Identity Awareness for remote users or Enable Identity Awareness for branch sites or both and click Apply Changes.

   Note - After the Identity Awareness update completes, a new notification appears on the Infinity Portal Notifications .

   To disable Identity Awareness, clear the selection.

2. Bypass Authentication

   When you enable Identity Awareness, you can enter one or more IP addresses for Check Point to bypass. The traffic from these IP addresses is not redirected to the Identity Provider authentication page. Use this for devices such as printers, servers, or Internet of Things (IoT).

   To add the bypass authentication in the Identity Awareness window:

   1. Go to Policy > Identity Awareness > Bypass authentication from these sources.

   2. Enter the IP address and click [+] to add it.

   3. Click Update.

   Note - After the Identity Awareness update completes, a new notification appears on the Infinity Portal Notifications .

3. Enforce access control rules for specific users and groups

   To get policy enforcement for users and groups, add users and groups to the policy:

   • Adding users

     • The Name should be the user full name.

     • The User Name should be the user email.

   • Adding groups

     • The Name and the Group Identifier should be the same as they appear in the role name in the Roles tab in the OneLogin Portal.

   • Installing policy