Microsoft ADFS

Use these instructions to configure the SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. authentication with Microsoft ADFSClosed Active Directory Federation Services. A Microsoft software component for Windows Server OS to give users single sign-on access to an organization's systems and applications..

  1. In the ,Infinity Portal, go to > Identity & Access > click the plus icon.

  2. Enter a name for the Integration Title and select ADFS.

  3. Click Next.

In this step of the IdP Integration Wizard, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.

  1. Select Enable Administrators to log in to the portal using this IdP.

  2. Select one of these options:

  1. In the Service(s) Integration section, select one of these options:

    • No Services - End users of Infinity Portal services cannot authenticate with SSO from the Identity Provider. This is the default configuration.

    • All Services - End users can log in with SSO from the Identity Provider to all Check Point services that support SSO.

    • Specific Service(s) - From the list of services, select service(s) to allow end users to log into with SSO from the Identity Provider. Available services:

      • Harmony Connect

      • Quantum Gateways

  2. Click Next (or, if you are editing a configuration, Apply) to complete the Integration Type configuration.

Note - If for Integration Type you selected "Login with a Unique URL", the Verify Domain step is not necessary.

  1. Connect to your DNS server.

  2. Copy the DNS Value from the Infinity Portal IdP Integration wizard > Verify Domain step.

  3. On your DNS server, enter the Value as a TXT record.

  4. In the Infinity Portal > Domain(s) section, enter a public DNS domain server name and click the plus icon.

    Check Point makes a DNS query to verify your domain's configuration.

  5. Optional - add more DNS domain servers.

  6. Click Next.

    Note - Wait until the DNS record is propagated and can be resolved.

Important - Keep the Infinity Portal and Microsoft ADFS open during all steps of this procedure.

  1. In Microsoft ADFS, navigate to ADFS > Trust Relationships > Relying Party Trusts.

  2. From the Actions toolbar on the right > Relying Party Trusts section, click Add Relying Party Trust.

    The Add Relying Party Trust wizard opens.

  3. In the Welcome step, click Start.

  4. In the Select Data Source step:

    1. Select Enter data about the relying party manually.

    2. Click Next.

  5. In the Specify Display Name step:

    1. Copy the Display Name from the Infinity Portal and paste it in the Display name field in Microsoft ADFS.

    2. In Microsoft ADFS, click Next.

  6. In the Configure Certificate step, click Next. Do not upload a token encryption certificate.

  7. In the Configure URL step:

    1. Select Enable support for the SAML 2.0 WebSSO protocol.

    2. Copy Replying party SAML 2.0 SSO service URL from the Infinity Portal to the field with the same name in Microsoft ADFS.

    3. Click Next.

  8. In the Configure Identifiers step:

    1. Copy the Relying party trust identifier from the Infinity Portal and paste it in the Relying party trust identifier field in Microsoft ADFS.

    2. Click Next.

  9. In the Choose Access Control Policy step:

    1. Select permit everyone.

    2. Click Next.

  10. In the Ready to Add Trust step, click Next.

  11. In the Finish step, click Finish.

  1. In the Microsoft ADFS Relying Party Trusts window, right click on the table row "check point infinity Portal SSO".

  2. Click Edit Claim Issuance Policy...

    The Add Transform Claim Rule Wizard opens in a new window.

  3. In the Choose Rule Type step:

    1. For Claim rule template, select Send LDAP attributes as claims.

    2. Click Next.

  4. In the Configure Claim Rule step:

    1. For Claim rule name, enter LDAP Attributes as Claims.

    2. For Attribute store, select Active Directory.

    3. In the table, add these LDAPClosed Lightweight Directory Access Protocol. It provides a mechanism used to connect to, search, and modify Internet directories (such as Microsoft Active Directory). attributes:

      LDAP Attribute

      Outgoing Claim Type

      User-Principal-Name

      UPN

      Display-Name

      Name

      E-Mail-Addresses

      E-Mail-Address

      User-Principal-Name

      Primary SID

    4. Click Next.

  5. In the Finish step, click Finish.

  1. In the Microsoft ADFS Relying Party Trusts window, right click on the table row "check point infinity Portal SSO".

  2. Click Edit Claim Issuance Policy...

    The Add Transform Claim Rule Wizard opens.

  3. In the Choose Rule Type step:

    1. For Claim rule template, select Send Group Membership as a Claim.

    2. Click Next.

  4. In the Configure Claim Rule step:

    1. For Claim rule name, enter LDAP Attributes as Claims:

    2. For Attribute store, select Active Directory.

    3. In the table, add this LDAP attribute:

      LDAP Attribute

      Outgoing Claim Type

      Token Groups - Unqualified Names

      Group SID

    4. Click Next.

  5. In the Finish step, click Finish.

  6. Restart the ADFS services or restart the server on which ADFS is running to apply the configuration.

  7. In the Infinity Portal > Allow Connectivity step, click Next.

  1. Download the ADFS Federation Metadata file from:

    https://<your-domain>/FederationMetadata/2007-06/FederationMetadata.xml

  2. In the Infinity Portal > Configure Metadata page, upload the Federation Metadata XML that you downloaded from your ADFS.

    Note - Check Point uses the service URL and the name of your Certificate from the metadata file to identify your users behind the sites.

  3. Click Next.

Review the details of the SSO configuration and click Submit.

Important - Before you log out of the Infinity Portal, create a user group with the applicable roles and assign it to the related IdP group name or ID. For more information, see User Groups.