Microsoft ADFS

Use these instructions to configure the SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. authentication with Microsoft ADFSClosed Active Directory Federation Services. A Microsoft software component for Windows Server OS to give users single sign-on access to an organization's systems and applications..

  1. In the Infinity Portal go to > Identity & Access > click the plus icon.

  2. Enter a name for the Integration Title and select ADFS.

  3. Click Next.

In this step, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.

  1. Select Enable Administrators to log in to the portal using this IdP.

  2. Select one of these options:

  1. In the Service(s) Integration section, select one of these options:

    • No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.

    • All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.

    • Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider. Available services:

      • Harmony Connect

      • Quantum Gateways

  2. Click Next (or Apply) to complete the Integration Type configuration.

Note - If for Integration Type you selected "Login with a Unique URL", the Verify Domain step is not necessary.

  1. Copy the DNS Value from the Infinity Portal.

  2. On your DNS server, enter the Value as a TXT record.

  3. In the Infinity Portal > Domain(s) section, enter a public DNS domain server name and click the plus icon.

    Check Point makes a DNS query to verify your domain's configuration.

  4. Optional - add more DNS domain servers.

  5. Click Next.

    Note - Wait until the DNS record is propagated and can be resolved.

Before you start, copy the Entity ID and Reply URL from the wizard and then open the Microsoft ADFS Management console.

  1. Navigate to ADFS > Trust Relationships > Relying Party Trusts.

  2. Right-click to select Add Relying Party Trust.

  3. The Add Relying Party Trust Wizard opens. Click Start.

  4. Select Enter data about the relying party manually > click Next.

  5. Enter this information:

    • In Display name - Check Point Infinity Portal.

    • In Notes - This is the relying party trust for Check Point Infinity Portal.

  6. Click Next.

  7. Make sure to select the ADFS profile > click Next.

  8. In the Configure Certificate section, do not upload a token encryption certificate. Click Next.

  1. Select the checkbox Enable support for the SAML 2.0 Web SSO protocol.

  2. In the Service URL field, enter the Reply URL that you copied from the Check Point Infinity Portal.

  3. Click Next.

  4. In the Relying party trust identifier textbox, enter the Entity ID that you copied from the Check Point Infinity Portal.

  5. Click Add and then click Next.

  6. In the next screen, make sure to select I do not want to configure multi-factor authentication > click Next.

  7. Make sure to select Permit all users to access this relying party > click Next.

  8. In the Ready to Add Trust section, click Next.

  9. Select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes, then click Close.

  1. In the Edit Claim Rules for Check Point Infinity Portal panel > Issuance Transform Rules tab, click Add Rule.

  2. Set the Claim rule template from the menu list to Send LDAP Attributes as Claims and click Next.

  3. Below Configure Claim Rule, enter these settings:

  4. Add a claim with these settings:

    • Claim rule name - Groups Claim

    • Attribute store - Active Directory

    • LDAP Attribute - Token-Groups - Unqualified Names

    • Outgoing Claim Type - Group

      Note - Configure the applicable group names in the Infinity Portal user groups IdP ID field.

  5. Add the next claims:

    • Name

      • Claim rule name - Name

      • Attribute store - Active Directory

      • LDAP Attribute - Name

      • Outgoing Claim Type Name

    • Email

      • Claim rule name - Email

      • Attribute store - Active Directory

      • LDAP Attribute - E-Mail-Addresses

      • Outgoing Claim Type - E-Mail Address

    • Group IDs

      • Claim rule name - Groups IDs

      • Attribute store - Active Directory

      • LDAP Attribute - Token-Groups as SIDs

      • Outgoing Claim Type - Group SID

    • userId

      • Claim rule name - userId

      • Attribute store - Active Directory

      • LDAP Attribute - objectSid

      • Outgoing Claim Type - Primary SID

  6. Make sure you have the claims and click OK.

  7. Restart the ADFS services or restart the server to apply the configuration.

Note - It is necessary to configure the ADFS groups for use on the Infinity Portal User Groups page. The corresponding users in these groups are granted access to the Infinity Portal by the roles configured in the Infinity Portal User Groups. In the IdP ID field, below User Groups, provide the ADFS group name.

  1. Download the ADFS Federation Metadata file from:

    https://<your-domain>/FederationMetadata/2007-06/FederationMetadata.xml

  2. In the Configure Metadata page, upload the Federation Metadata XML that you downloaded from your ADFS.

    Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.

  3. Click Next.