Identity Provider Settings

Identity Provider is used to identify the user that signs into the Harmony Connect Agent. For more information, see Identity Awareness.

You can configure the Identity Provider settings from Global Settings > Identity & Access > Identity Providers that applies to all registered products in the Check PointInfinity Portal. For documentation, see Global Settings > Identity & Access > Identity Providers in the Infinity Portal Administration Guide.

Use Cases

To prevent cyber-attacks, Check Point requires access to your third-party Identity Provider to retrieve and report identity of the users attacked.
Administrators can enforce different sets of rules for different users and groups. After you integrate Identity Provider with Harmony Connect, you can select users and groups within the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..

Feature Support

Harmony Connect integrates with various Identity Providers that implement the SAML protocol. The table below shows features that the Identity Providers support.

Identity Provider	Branch Office Users	Remote Users (Client and Clientless)	Automatic Sync of Users and Groups²	Seamless Login³
Microsoft AD FS¹
Microsoft Entra ID (formerly Azure AD)
OneLogin¹
Okta
Ping Identity
Generic SAML¹		For clientless access only
Google IDP

Notes :

Does not support automatic sync of users and groups with Harmony Connect. You must manually add users and groups in the Harmony Connect Administrator Portal.
Harmony Connect syncs with the Identity Provider:
- Every 15 minutes for new users and groups.
- Every 4 hours for changes in user or group association only if the sync ID is configured.
The sync speed depends on factors, such as System for Cross-domain Identity Management (SCIM) configuration and the Identity Provider’s sync interval.
Seamless login is supported only with Identity Providers that support automatic sync.
- With seamless login, remote users are directed to log in through the Identity Provider only once when they access resources; the Harmony Connect Agent, internet and corporate network for the first time.
- Without seamless login, remote users are directed to log in through the Identity Provider:
  - When they access the resources for the first time or when initiating a new session.
  - The next time when they access the resources after the session has expired or terminated. The session expires after 12 hours.
Users must be logged into the IDP for Harmony Connect to determine the users' identity.

Multiple Identity Provider Support

Harmony Connect supports configuration of multiple IDPs. If you configure multiple IDPs, a discovery page is presented to users to select the IDP. You must inform users about the relevant IDP to select in the discovery page.

The discovery page is presented:

When users access the Harmony Connect User App Portal (for Application-Access) or the direct link (URL) for the web application.
Every 12 hours when users access network or internet from the branch office.
Every 12 hours for authentication with the Harmony Connect Agent if the IDP does not support automatic sync.