Microsoft Entra ID (formerly Azure AD)

Important - These configuration steps let you set up the Microsoft Entra ID Identity ProviderClosed A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Acronym: IdP or IDP. with a Non-Gallery Application.

Prerequisites:

Note - For an integration of more than approximately 150 groups from Microsoft Entra ID, you must Optional - Set Directory Integration (Manual or SCIM).

  1. Log in to your Azure portal.

  2. In the home directory, click on the hamburger button to show the portal menu.

  3. Got to Microsoft Entra ID > Enterprise applications> All applications.

    Important - Check Point does not support the preconfigured Infinity Portal application in Microsoft AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®.. You must create a new application for Infinity Portal in Microsoft Azure as shown in this procedure.

  4. Click New application.

  5. Click Create your own application.

  6. In the What’s the name of your app field, enter a name for the application (example: "Infinity Portal") and click Integrate any other application you don’t find in the gallery (Non-gallery).

  7. Click Create and wait for Azure to add the new application.

  1. Click on the Azure portal menu.

  2. Click Microsoft Entra ID.

  3. Click Groups.

  4. Click New group.

    The New Group window opens.

  5. Enter a Group name and Group description.

  6. Add members to the group.

  7. Click Create and wait for Azure to successfully create the group.

Note - As of January 2024, Microsoft Entra ID does not grant application access to users who are not direct members of an associated group. For more information, see Microsoft documentation.

  1. Open the enterprise application you created for the Infinity Portal.

  2. Click Assign users and groups.

  3. Click add user/group.

  4. Click None Selected.

  5. Search for the group you created for Infinity Portal users.

  6. Click the group and click Select.

  7. Click Assign to assign the group to the application.

  8. Open the user group.

  9. Copy the group's Object Id.

  1. In the Infinity Portal tenant that administrators should access through Azure SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications., click > User Groups.

  2. Click New.

    The ADD USER GROUP window opens.

  3. Enter a Name for the group.

  4. Enter a Description for the group.

  5. In the IDP Id field, paste the Object ID of the group from the Azure portal.

  6. Assign a role to the group. For more information, see User Groups.

  7. Click ADD.

  1. In the Infinity Portal go to > Identity & Access > click the plus icon.

  2. Enter a name for the Integration Title and select Microsoft Entra ID.

  3. Click Next.

In this step, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.

  1. Select Enable Administrators to log in to the portal using this IdP.

  2. Select one of these options:

    • Login based on domain verification- Infinity Portal Administrators can log in to this Infinity Portal account with SSO from the Identity Provider. Administrators log in through the Infinity Portal login page.

    • Login with a unique URL - Infinity Portal Administrators can log in with SSO from the Identity Provider for multiple Infinity Portal accounts. Administrators log in using the URL that appears in the box.

  1. In the Service(s) Integration section, select one of these options:

    • No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.

    • All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.

    • Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider. Available services:

      • Harmony Connect

      • Quantum Gateways

  2. Click Next (or Apply) to complete the Integration Type configuration.

Note - If for Integration Type you selected "Login with a Unique URL", the Verify Domain step is not necessary.

  1. Copy the DNS Value from the Infinity Portal.

  2. On your DNS server, enter the Value as a TXT record.

  3. In the Infinity Portal > Domain(s) section, enter a public DNS domain server name and click the plus icon.

    Check Point makes a DNS query to verify your domain's configuration.

  4. Optional - add more DNS domain servers.

  5. Click Next.

    Note - Wait until the DNS record is propagated and can be resolved.

In this step, you enter the Identifier (Entity ID) and Reply URL from the Infinity Portal into the Azure portal and create the required Azure attributes and claims.

Step 1: Copy tokens from the Infinity Portal to the Azure portal

  1. In the Infinity Portal IdP Integration Allow Connectivity page, copy the Identifier (Entity ID) and the Reply URL.

  2. In the Azure portal, click Enterprise Applications.

  3. Open the Azure application you use for the Infinity Portal.

  4. From the left menu, expand Manage and click Single sign-on.

  5. On the Select a single sign-on method page, select SAML.

  6. In the Basic SAML Configuration section, click Edit and do these steps:

    1. In the Identifier (Entity ID) text box, paste the Identifier (Entity ID) you copied from the Infinity Portal.

    2. In the Reply URL (Assertion Consumer Service URL) text box, paste the Reply URL you copied from the Infinity Portal

  7. Optional - Enable IdP initiated login flow. IdP Initiated flow lets you connect directly to the Infinity Portal from your Azure portal.

    1. In the Azure portal, create an app card for the Infinity Portal. See the Microsoft Entra ID documentation for App integrations:

    2. Copy the Sign on URL from the Infinity Portal to the Sign on URL field in the Azure portal.

    3. Copy the Relay State from the Infinity Portal to the Relay State field in the Azure portal.

    4. Click Save.

  8. If you did not do the previous optional step - In the Azure portal, Basic SAML Configuration window, click Save.

Step 2: Configure Attributes and Claims in the Azure portal

  1. In the Azure application you created for the Infinity PortalAttributes & Claims section, click Edit.

  2. Make sure that these claims are in the User Attributes & Claims list. If a claim does not exist, then create it.

    Important - Do not change the default configurations of these claims.

    • Claim Name - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

      Claim Type - SAML

      Value - user.mail

    • Claim Name -http://schemas.xmlsoap.org/ws/2005/05/identity/claim/givenname

      Claim Type - SAML

      Value - user.givenname

Step 3: Add a Group Claim in the Azure portal

  1. In the Azure application you created for the Infinity PortalAttributes & Claims section, click Edit.

  2. Click Add a group claim.

    The Group Claims window opens.

  3. Select Groups assigned to the application.

    Important - Nested groups are supported only if you configure Directory Integration with Manual Sync. See Optional - Set Directory Integration (Manual or SCIM).

  4. For Source attribute, select Group ID.

  5. Click Save.

  6. In the Infinity Portal, click Next/Apply.

Important - Before you can test the connectivity between Microsoft Entra ID and the Infinity Portal, you must complete all of the IdP integration steps in the Infinity Portal.

In this step, you upload the federation metadata XML file.

  1. In the Azure portal, navigate to the enterprise application you created.

  2. In the left navigation pane, click Single Sign-On.

  3. In SAML Signing Certificate, download the Federation Metadata XML file.

  4. In the Infinity Portal > IDP Integration > Configure Metadata page, upload the Federation Metadata XML file.

    Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.

  5. In the Infinity Portal > IDP Integration > Configure Metadata tab, click Next / Apply.

    Check Point validates your Identity Provider's metadata of your Identity Provider.

To use Azure for SSO authentication only, select the checkbox I want to skip this step and use this IdP for SSO authentication only.

Directory Integration gets information about users and groups for the services you selected in the Integration Type step > Service(s) Integration section.

Directory Integration does not apply to Users and User Groups in the Infinity Portal.

Important - After you create a Directory Integration, you cannot change it. To create a different Directory Integration, you must create a new Identity Provider (IdP) Integration.

You can manage user identity data with Manual API Sync or with System for Cross-Domain Identity Management (SCIM).

Directory Integration Method

How it Works

Which Users and Groups are Synced

Manual Sync

Allows Check Point services to query for any change in Microsoft Entra ID users and groups. The Infinity Portal pulls users and groups from Microsoft Entra ID.

All users and groups in Microsoft Entra ID.

Nested groups in Microsoft Entra ID are supported.

SCIM (Automatic Sync)

Allows Microsoft Entra ID to push any change in the user and group directory to Check Point services.

Only users and groups in Microsoft Entra ID that are assigned to the SAML application for the Infinity Portal.

Nested groups in Microsoft Entra ID are not supported.

This video shows you how to configure Manual Sync between the Infinity Portal and Microsoft Entra ID.To finish the integration of Microsoft Entra ID with the Infinity Portal, you must complete the IdP configuration wizard in the Infinity Portal.

Watch the Video

 

In the Azure Portal, set up users and groups synchronization:

Set up permissions to allow the selection of users and user groups from your Microsoft Entra ID environment in the Infinity Portal Policy.

  1. In the Azure portal, click App registrations.

    The App registrations screen opens.

  2. Click + New registration.

    The Register an application screen opens.

  3. Create a new App Registration.

    The app registrations page for the application opens.

  4. Click Manage > API permissions.

    The API permissions screen opens.

  5. In Configured permissions, click + Add a permission.

    The Request API permissions window opens.

  6. In Microsoft APIs, click Microsoft Graph and select Application permissions.

  7. In the Select permissions section:

    1. In the search field, enter Group:

      1. Expand Group.

      2. Select Group.Read.All.

    2. In the search field, enter User:

      1. Expand User.

      2. Select User.Read.All.

    3. Optional - Set up synchronization for device information:

      1. In the search field, enter Device.

      2. Expand Device.

      3. Select Device.Read.All.

  8. Click Add permissions.

  9. In Configured permissions, click Grant admin consent for <application name> and confirm in the confirmation window.

    The Status changes accordingly.

  10. Create an authentication secret key:

    1. In the Azure portal, open your app and click Certificates & secrets.

    2. Click Client secrets > + New client secret.

    3. In the Description field, enter a description for the client's secret.

    4. Select an expiration date and click Add.

    5. From the Value field, copy the value of this new client secret.

      Use this value in the next configuration step.

      Note - You cannot retrieve this secret value after you close the window.

Configure the Infinity Portal IdP:

  1. In the Azure Portal, open your app. Click Overview and expand Essentials.

  2. Copy the values of the Application (client) ID and Directory (tenant) ID.

  3. In the Infinity Portal Identity Provider wizard, paste the values of Application (client) ID, Directory (tenant) ID, and Client Secret created in the previous step and click Next.

  4. To test the users and group synchronization between the Infinity Portal and Identity Provider, click Test Connectivity.

    If the test is unsuccessful, repeat the Set Directory Integration step to configure the user and group synchronization parameters.

  5. Click Next.

    Check Point validates access with the API key.

Prerequisites:

This video shows you how to configure SCIM (Automatic) Sync between the Infinity Portal and Microsoft Entra ID.

Watch the Video

 

Step 1 - Configure the Directory Integration in the Infinity Portal:

  1. In the Infinity Portal Identity Provider wizard, Set Directory Integration step, select Automatic Sync SCIM.

  2. Copy and save the SCIM API Token and URL.

  3. Click Next.

    The Confirm Identity Provider step opens.

  4. Click Submit.

    Microsoft Entra ID is now integrated with the Infinity Portal. The Microsoft Entra ID integration appears in the gallery in the Infinity Portal. Finish configuring SCIM (Automatic Sync) in the Azure portal.

Step 2 - Configure the Application Integration in the Azure Portal:

  1. In your Microsoft Azure account, navigate to Microsoft Entra ID.

  2. From the left toolbar, click Enterprise Applications.

    The Enterprise Applications page opens to the Manage > All applications tab.

  3. In the table, open the enterprise application you created for the Infinity Portal.

  4. From the left menu, click Manage > Provisioning.

    The Provisioning page opens to the Overview tab.

  5. For Provisioning Mode, select Automatic.

  6. In the Admin Credentials section:

    1. In the Tenant URL field, enter the URL you copied from the Infinity Portal's Set Directory Integration step.

    2. In the Secret Token field, enter the SCIM API Token you copied from the Infinity Portal's Set Directory Integration step.

    3. Click Test Connection.

  7. Click Save.

  8. In the Mappings section, click Provision Microsoft Entra ID Directory Users.

    The Attribute Mapping page opens.

  9. On the Attribute Mapping page:

    1. In the Target Object Actions section, make sure these checkboxes are selected: Create, Update, Delete.

    2. In the Attribute Mappings table, find the row with the 'externalId' value in the customappsso Attribute column and click Edit.

      The Edit Attribute page opens.

    3. In the Source attribute field, select objectId.

    4. Click OK.

      The Edit Attribute window closes.

      The Attribute Mapping window opens.

    5. Click Save.

    6. In the confirmation window, click Yes.

  10. From the top navigation toolbar, click [NAME OF APPLICATION]| Provisioning.

  11. From the left menu, go to Manage > Users and groups.

  12. Add users and groups.

  13. From the left menu, click Overview.

  14. Click Start provisioning.

    It can take up to a few hours for Azure to finish sending directory information to the Infinity Portal.

Review the details of the SSO configuration and click Submit.

Note - If you selected to use SCIM, then this step is not necessary.

Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups.