Microsoft Entra ID (formerly Azure AD)
|
Important - These configuration steps let you set up the Microsoft Entra ID Identity Provider A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Acronym: IdP or IDP. with a Non-Gallery Application. |
Prerequisites:
-
Permissions to your company's DNS server.
-
For Microsoft Entra ID with SAML Security Assertion Markup Language. An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider., you must have Microsoft 365 and Microsoft Entra ID Premium P1 licenses or above.
-
For Conditional Access, you must have Microsoft Entra IDAD Premium P1 or P2. You can use a single Premium P2 license with multiple users. For more information, see Microsoft Entra ID AD licenses.
|
Note - For an integration of more than approximately 150 groups from Microsoft Entra ID, you must Optional - Set Directory Integration (Manual or SCIM). |
-
Log in to your Azure portal.
-
In the home directory, click on the hamburger button to show the portal menu.
-
Got to Microsoft Entra ID > Enterprise applications> All applications.
Important - Check Point does not support the preconfigured Infinity Portal application in Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®.. You must create a new application for Infinity Portal in Microsoft Azure as shown in this procedure.
-
Click New application.
-
Click Create your own application.
-
In the What’s the name of your app field, enter a name for the application (example: "Infinity Portal") and click Integrate any other application you don’t find in the gallery (Non-gallery).
-
Click Create and wait for Azure to add the new application.
-
Click on the Azure portal menu.
-
Click Microsoft Entra ID.
-
Click Groups.
-
Click New group.
The New Group window opens.
-
Enter a Group name and Group description.
-
Add members to the group.
-
Click Create and wait for Azure to successfully create the group.
|
Note - As of January 2024, Microsoft Entra ID does not grant application access to users who are not direct members of an associated group. For more information, see Microsoft documentation. |
-
Open the enterprise application you created for the Infinity Portal.
-
Click Assign users and groups.
-
Click add user/group.
-
Click None Selected.
-
Search for the group you created for Infinity Portal users.
-
Click the group and click Select.
-
Click Assign to assign the group to the application.
-
Open the user group.
-
Copy the group's Object Id.
-
In the Infinity Portal tenant that administrators should access through Azure SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications., click > User Groups.
-
Click New.
The ADD USER GROUP window opens.
-
Enter a Name for the group.
-
Enter a Description for the group.
-
In the IDP Id field, paste the Object ID of the group from the Azure portal.
-
Assign a role to the group. For more information, see User Groups.
-
Click ADD.
-
In the Infinity Portal go to > Identity & Access > click the plus icon.
-
Enter a name for the Integration Title and select Microsoft Entra ID.
-
Click Next.
In this step, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.
-
Select Enable Administrators to log in to the portal using this IdP.
-
Select one of these options:
-
One organizational account - Infinity Portal Administrators can log into this Infinity Portal account with SSO from the Identity Provider. Administrators log in through the Infinity Portal login page.
-
One or more organizational accounts - Infinity Portal Administrators can log in with SSO from the Identity Provider for multiple Infinity Portal accounts. Administrators log in through the URL that shows in the box.
-
-
Do one of these actions:
-
Continue to the Service(s) Integration section.
-
Click Next / Apply to complete the Integration Type configuration.
-
-
In the Service(s) Integration section, select one of these options:
-
No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.
-
All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.
-
Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider. Available services:
-
Harmony Connect
-
Quantum Gateways
-
-
-
Click Next / Apply to complete the Integration Type configuration.
|
Note - If you select One of more organizational accounts, this step is not necessary. |
-
The DNS record generates. Click to copy the generated DNS record value
-
Enter the copied DNS record to your DNS server as a
TXT
record. -
Below Domain(s), enter your organization's public DNS domain server name and click the plus icon.
Check Point makes a DNS query to verify your domain's configuration.
-
Click Next.
Note - Wait until the DNS record is propagated and can be resolved.
-
In the Infinity Portal Allow Connectivity page, copy the Entity ID and the Reply URL.
-
In the Azure portal, on the Check Point Infinity Portal application integration page, in the Manage section select Single sign-on.
-
On the Select a single sign-on method page, select SAML.
-
On the Set up single sign-on with SAML page, click the pencil icon to edit the settings for Basic SAML Configuration.
-
In the Basic SAML Configuration section, click Edit and do these steps:
-
In the Identifier text box, paste the copied entity ID.
-
In the Reply URL text box, paste the previously-copied Reply URL.
-
In the Sign on URL text box, paste the previously-copied Reply URL as well.
-
-
In the User Attributes & Claims section, click Edit and do these steps:
-
Edit User Attributes & Claims and click Add a group claim.
-
In Group Claims, select All Groups. For the Source attribute, select Group ID.
-
In Advanced Options, select Customize the name of the group claim.
-
In the Name (required) field, enter groups.
Important - Do not use capital letters.
-
Click Save.
-
Make sure that these claims are in the User Attributes & Claims list:
-
Claim Name - identity/claims/emailaddress
Claim Type -User
Value - user.emailaddress
-
Claim Name - identity/claims/givenname
Claim Type - User
Value - user.givenname
-
Claim Name - identity/claims/objectidentifier
Claim Type - User
Value - user.objectidentifier
-
-
-
If you do not want to configure IdP Initiated Flow, in the Infinity Portal click Next/Apply.
IdP Initiated flow lets you connect directly to Infinity Portal from your Azure portal. To do this, you must create an Infinity Portal app card in your Azure portal. See the Microsoft Entra ID documentation for App integrations.
Step 1: In the Infinity Portal, enable IdP Initiated flow:
In the IdP Integration Allow Connectivity step, select the checkbox Enable IdP initiated flow.
Step 2: Copy the the IdP Settings from the Infinity Portal to the Azure Portal
-
In the Azure portal > Single sign-on tab > Basic SAML Configuration section, click Edit.
-
Copy the Sign on URL from the Infinity Portal to the Sign on URL field in the Azure portal.
-
Copy the Relay State from the Infinity Portal to theRelay State field in the Azure portal.
-
In the Azure portal, click Save.
-
In the Infinity Portal, click Next/Apply.
|
Important - Before you can test the connectivity between Microsoft Entra ID and the Infinity Portal, you must complete all of the IdP integration steps in the Infinity Portal. |
In this step, you upload the federation metadata XML file.
-
In the Azure portal, navigate to the enterprise application you created.
-
In the left navigation pane, click Single Sign-On.
-
In SAML Signing Certificate, download the Federation Metadata XML file.
-
In the Infinity Portal > IDP Integration > Configure Metadata page, upload the Federation Metadata XML file.
Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.
-
In the Infinity Portal > IDP Integration > Configure Metadata tab, click Next / Apply.
Check Point validates your Identity Provider's metadata of your Identity Provider.
To use Azure for SSO authentication only, select the checkbox I want to skip this step and use this IdP for SSO authentication only.
Directory Integration pulls information about users and groups for the services you selected in the Integration Type step > Service(s) Integration section. Directory Integration does not apply to Users and User Groups in the Infinity Portal.
|
Important - After you create a Directory Integration, you cannot change it. To create a different Directory Integration, you must create a new Identity Provider (IdP) Integration. |
You can manage user identity data with Manual API Sync or with System for Cross-Domain Identity Management (SCIM).
Directory Integration Method |
How it Works |
Which Users and Groups are Synced |
---|---|---|
Manual Sync |
Allows Check Point services to query for any change in Microsoft Entra ID users and groups. The Infinity Portal pulls users and groups from Microsoft Entra ID. |
All users and groups in Microsoft Entra ID. |
SCIM |
Allows Microsoft Entra ID to push any change in the user and group directory to Check Point services. |
Only users and groups in Microsoft Entra ID that are assigned to the SAML application for the Infinity Portal. |
Select relevant users and groups:
-
In the Azure portal, navigate to the enterprise application you created and click Users and groups.
-
Click Add user/group.
-
In Users and groups, select the required users or groups and click Select.
-
Click Assign.
Set up users and groups synchronization:
Set up permissions to allow the selection of users and user groups from your Microsoft Entra ID in the Infinity Portal Policy.
-
In the Azure portal, click App Registration.
-
Create a new App Registration.
-
Click API permissions.
-
In Configured permissions, click Add a permission.
The Request API permissions window opens.
-
In Microsoft APIs, click Microsoft Graph and select Application permissions.
-
In Select permissions, in the search field, enter Group and select Group.Read.All and click Add permissions.
-
In Select permissions, in the search field, enter User and select User.Read.All and click Add permissions.
-
Optional - Set up synchronization for device information. In Select permissions, in the search field, enter Device and select Device.Read.All and click Add permissions.
-
In Configured permissions, click Grant admin consent for <application name>.
The Status changes accordingly.
-
Create an authentication secret key:
-
In the Azure portal, open your app and click Certificates & secrets.
-
Under Client secrets, click New client secret.
-
In the Description field, enter a description for the client's secret.
-
Select an expiration date and click Add.
-
From the Value field, copy the value of this new client secret.
Use this value in the next configuration step.
Note - You cannot retrieve this secret value after you close the window.
-
Configure the Infinity Portal IdP:
-
In the Azure Portal, open your app. Click Overview and select Essentials.
-
Copy the values of the Application (client) ID and Directory (tenant) ID.
-
In the Identity Provider wizard, paste the values of Application (client) ID, Directory (tenant) ID, and Client Secret created in the previous step and click Next.
-
To test the users and group synchronization between the Infinity Portal and Identity Provider, click Test Connectivity.
If the test is unsuccessful, repeat the Set Directory Integration step to configure the user and group synchronization parameters.
-
Click Next.
Check Point validates access with the API key.
Prerequisites:
-
Before you start the IdP integration, in the Infinity Portal create a user group with an Admin global role. See Users.
-
Administrator permissions for the IdP.
-
Must have existing Active Directory Microsoft® directory information service. Stores data about user, computer, and service identities for authentication and access. Acronym: AD. and a premium P2 Azure subscription
Step 1 - Configure the Directory Integration in the Infinity Portal:
-
In the Infinity Portal go to > Identity & Access > and below Identity Providers click the plus icon.
-
In the Set Directory Integration step, select Automatic Sync SCIM.
-
Copy and save the SCIM API Token and URL.
-
Click Next.
-
To save, click Submit.
Step 2 - Configure the Application Integration in the Microsoft Entra ID Portal:
-
In your Microsoft Azure account, navigate to Microsoft Entra ID.
-
From the left toolbar click Enterprise Applications.
The Enterprise Applications page opens to the Manage > All applications tab.
-
In the table, open the enterprise application you created for the Infinity Portal.
-
From the left toolbar > Manage section, click Provisioning.
The Provisioning page opens to the Overview tab.
-
From the top toolbar, click Edit provisioning.
A new page opens.
-
In the Admin Credentials section:
-
In the Tenant URL field, enter the URL from the Infinity Portal's Set Directory Integration step.
-
In the Secret Token field, enter the SCIM API Token from the Infinity Portal's Set Directory Integration step.
-
Click Test Connection.
-
-
Click Save.
-
In the Mappings section, click Provision Microsoft Entra ID Directory Users.
The Attribute Mapping page opens.
-
On the Attribute Mapping page:
-
In the Target Object Actions section, make sure these checkboxes are selected: Create, Update, Delete.
-
In the Attribute Mappings table, find the row with
'externalId
' as the value in the customappsso Attribute column and click Edit.The Edit Attribute page opens.
-
In the Source attribute field, select
objectId
. -
Click OK.
The Edit Attribute window closes.
The Attribute Mapping window opens.
-
Click Save.
The Save changes confirmation window opens.
-
In the confirmation window, click Yes.
-
-
From the top navigation toolbar, click [NAME OF APPLICATION]| Provisioning.
-
Add Users/Groups as necessary.
-
Click Start provisioning.
Review the details of the SSO configuration and click Submit.
|
Note - If you selected to you use SCIM, then this step is not necessary. |
|
Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups. |