Microsoft AD FS

Use these steps to configure the SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. authentication with AD FS Active Directory Federation Services. A Microsoft software component for Windows Server OS to give users signle sign-on access to an organization's systems and applications..

Step 1: Select IdP and Title

1. In the Infinity Portal go to Global Settings > Identity & Access > click the plus icon.

2. Select ADFS.

3. Click Next.

Step 2: Verify your Domain

1. Below The DNS record Value is generated. Copy the value.

2. Enter this generated DNS record to your DNS server as a TXT record.

3. Below Domain(s), enter your organization's domain and click the plus icon.

   Check Point makes a DNS query to verify your domain configuration.

4. Click Next.

   Note - Wait until the DNS record is propagated and can be resolved.

Step 3: Create Relying Party Trust in AD FS

Before you start, copy the Entity ID and Reply URL from the wizard and then open the AD FS Management console.

1. Navigate to AD FS > Trust Relationships > Relying Party Trusts.

2. Right-click to select Add Relying Party Trust.

3. The Add Relying Party Trust Wizard opens. Click Start.

4. Select Enter data about the relying party manually, and click Next.

5. Enter this information:

   • In Display name - Check Point Infinity Portal.

   • In Notes - This is the relying party trust for Check Point Infinity Portal.

6. Click Next.

7. Make sure to select the AD FS profile > click Next.

8. In the Configure Certificate section, do not upload a token encryption certificate. Click Next.

Step 4: Allow Connectivity

1. Select the checkbox Enable support for the SAML 2.0 Web SSO protocol.

2. In the Service URL field, enter the Reply URL that you copied from the Check Point Infinity Portal.

3. Click Next.

4. In the Relying party trust identifier textbox, enter the Entity ID that you copied from the Check Point Infinity Portal.

5. Click Add and then click Next.

6. In the next screen, make sure to select I do not want to configure multi-factor authentication > click Next.

7. Make sure to select Permit all users to access this relying party > click Next.

8. In the Ready to Add Trust section, click Next.

9. Select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, then click Close.

Step 5: Set User and Groups Claims:

1. In the Edit Claim Rules for Check Point Infinity Portal panel > Issuance Transform Rules tab, click Add Rule.

2. Set the Claim rule template from the menu list to Send LDAP Attributes as Claims and click Next.

3. Below Configure Claim Rule, enter these settings:

   • Claim rule name - LDAP Lightweight Directory Access Protocol. It provides a mechanism used to connect to, search, and modify Internet directories (such as Microsoft Active Directory). - User Principal Name as Name ID

   • Attribute store - Active Directory Microsoft® directory information service. Stores data about user, computer, and service identities for authentication and access. Acronym: AD.

   • LDAP Attribute - User-Principal-Name

   • Outgoing Claim Type - Name ID

4. Add a claim with these settings:

   • Claim rule name - Groups Claim

   • Attribute store - Active Directory

   • LDAP Attribute - Token-Groups - Unqualified Names

   • Outgoing Claim Type - Group

     Note - Configure the applicable group names in the Infinity Portal user groups IdP ID field.

5. Add the next claims similarly:

   • First Name

     • Claim rule name - First Name

     • Attribute store - Active Directory

     • LDAP Attribute - Given-Name

     • Outgoing Claim Type - Name

   • Surname

     • Claim rule name - Surname

     • Attribute store - Active Directory

     • LDAP Attribute - Surname

     • Outgoing Claim Type - Surname

   • Email

     • Claim rule name - Email

     • Attribute store - Active Directory

     • LDAP Attribute - E-Mail-Addresses

     • Outgoing Claim Type - E-Mail Address

   • Group IDs

     • Claim rule name - Groups IDs

     • Attribute store - Active Directory

     • LDAP Attribute - Token-Groups as SIDs

     • Outgoing Claim Type - Group SID

   • userId

     • Claim rule name - userId

     • Attribute store - Active Directory

     • LDAP Attribute - objectSid

     • Outgoing Claim Type - Primary SID

6. Make sure you have the claims and click OK.

7. Restart the AD FS services or restart the server to apply the configuration.

Note - It is necessary to configure the AD FS groups for use on the Infinity Portal User Groups page. The corresponding users in these groups are granted access to the Infinity Portal by the roles configured in the Infinity Portal User Groups. In the IdP ID field, below User Groups, provide the AD FS group name.

Step 6: Configure Metadata

1. Download the AD FS Federation Metadata file from:

   https://<your-domain>/FederationMetadata/2007-06/FederationMetadata.xml

2. In the Configure Metadata page, upload the Federation Metadata XML that you downloaded from your AD FS.

   Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.

3. Click Next.

Step 7: Review

Review the details of the SSO configuration and click Submit.

Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID, which depends on the applicable identity provider, before you log out. For more information, see User Groups.