Okta
Configure settings in the Infinity Portal IDP Integration wizard and in the Okta portal to configure the SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. authentication with Okta.
-
In the Infinity Portal, go to > Identity & Access and click the plus (+) icon.
-
Enter a name for the Integration Title and select Okta.
-
To continue, click Next.
In this step, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.
-
Select Enable Administrators to log in to the portal using this IdP.
-
Select one of these options:
-
One organizational account - Infinity Portal Administrators can log into this Infinity Portal account with SSO from the Identity Provider A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Acronym: IdP or IDP.. Administrators log in through the Infinity Portal login page.
-
One or more organizational accounts - Infinity Portal Administrators can log in with SSO from the Identity Provider for multiple Infinity Portal accounts. Administrators log in through the URL that shows in the box.
-
-
Do one of these actions:
-
Continue to the Service(s) Integration section.
-
Click Next / Apply to complete the Integration Type configuration.
-
-
In the Service(s) Integration section, select one of these options:
-
No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.
-
All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.
-
Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider. Available services:
-
Harmony Connect
-
Quantum Gateways
-
-
-
Click Next / Apply to complete the Integration Type configuration.
|
Note - If you select One of more organizational accounts, this step is not necessary. |
On the Verify Domain page, enter your organization's domain.
-
To verify ownership of your domain, add the record Value to your public DNS Server.
-
Enter the email domains your company uses for authenticating with Okta. Your company's users are directed to Okta based on the domain they used to log in.
This video shows you how to complete the Allow Connectivity step in the IdP Configuration Wizard and create an Okta application for the Infinity Portal. To finish the integration of Okta with the Infinity Portal, you must complete the IdP configuration wizard in the Infinity Portal.
Important - Keep the Infinity Portal Okta integration wizard and the Okta portal open during this whole procedure. Make sure they do not time out. |
Log in to your Okta Portal.
Click the hamburger button.
From the left taskbar, click Applications > Applications.
The Applications screen opens.
Click Create App Integration.
The Create a new app integration window opens.
Select SAML 2.0 and click Next.
The Create SAML Integration window opens.
In the General Settings tab > App name field, set the application name to Check Point Infinity Portal and click Next.
The Configure SAML tab opens.
In the Okta Portal > Configure SAML tab > SAML Settings menu > General section, configure SAML settings.
Copy the Reply URL from the Infinity Portal to the Single sign-on URL field in the Okta Portal.
In the Okta Portal, make sure that Use this for Recipient URL and Destination URL is selected. This option is selected by default.
Copy the Entity ID from the Infinity Portal to the Audience URI (SP Entity ID) field in the Okta Portal.
In the Okta Portal > Name ID format field, select EmailAddress.
In the Okta Portal > SAML Settings section > Application username field, make sure that Okta username is selected.
If you do not want to enable IdP Initiated Flow, at the bottom of the page click Next.
IdP Initiated flow lets you connect directly to Infinity Portal from the Okta portal. To do this, you must create an Infinity Portal app card in the Okta portal. See the Okta documentation for App integrations.
Step 1: In the Infinity Portal, enable IdP Initiated flow:
In the IdP Integration Allow Connectivity step, select the checkbox Enable IdP initiated flow.
Step 2: In your Okta account, configure the IdP Settings:
Copy the Relay State from the Infinity Portal to the Default Relay State field in the Okta Portal.
At the bottom of the page, click Next.
Important - Before you can test the connectivity between Okta and Infinity Portal, you must complete all of the IdP integration steps in the Infinity Portal. |
In the SAML Settings menu > Attribute Statements section, create these attribute statements:
Name - firstName
Name format - unspecified
Value - user.firstName
Name - lastName
Name format - unspecified
Value - user.lastName
Name - userId
Name format - unspecified
Value - user.id
In the SAML Settings menu > Group Attribute Statements section, create this group attribute statement:
Name - groups
Name format - Basic
Filter - Matches regex
Value (field does not have a name) - .*
Click Next.
The Feedback tab opens.
Important - Copy the name of the assigned group for use with the Check Point Infinity Portal User Group IdP ID field.
- Select I'm an Okta customer adding an internal app and then click Finish.
On the Configure page, upload metadata from Okta to the Infinity Portal.
-
In the Okta Portal, open the application you created for the Infinity Portal:
-
Open the Sign On tab.
-
In the SAML Signing Certificates section > table row of the active SAML certificate, click Actions > View IdP Metadata.
A new window opens with the metadata.
-
Save the metadata in a new file named
InfinityPortalOktaMetaData.XML
.
-
In the Infinity Portal, click Select File and upload the metadata XML file.
Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.
-
Click Next / Apply.
Check Point verifies the metadata for Okta.
-
In the Okta Portal, open the application you created for Infinity Portal.
-
In the Assignments tab, click Assign > Assign to groups.
-
Select the relevant group from the list.
To use Okta for SSO authentication only, select the checkbox I want to skip this step and use this IdP for SSO authentication only.
Directory Integration pulls information about users and groups for the services you selected in the Integration Type step > Service(s) Integration section. Directory Integration does not apply to Users and User Groups in the Infinity Portal.
|
Important - After you create a Directory Integration, you cannot change it. To create a different Directory Integration, you must create a new Identity Provider (IdP) Integration. |
Select one of these ways to manage user identity data include Manual API Sync and System for Cross-Domain Identity Management (SCIM) with Okta:
Directory Integration Method |
How it Works |
Which Users and Groups are Synced |
---|---|---|
Manual Sync |
Allows Check Point services to query for any change in Okta users and groups. The Infinity Portal pulls users and groups from Okta. |
All users and groups in Okta. |
SCIM |
Allows Okta to push any change in the user and group directory to Check Point services. |
Only users and groups in Okta that are assigned to the SAML application for the Infinity Portal. |
Prerequisites:
An Okta account with Super Administrator permissions.
Set up permissions to allow selection of users and user groups from your Okta directory in the Infinity Portal Policy.
-
In the Set Directory Integration step, select Manual API Sync and enter the details from your Okta account.
-
In the Okta Portal, check your Okta domain. Usually, this name appears in the address bar and in your account name.
-
Click the icon on the right to the Okta domain name to copy it.
-
Paste the Okta domain name in the Okta Domain field on the Set Directory Integration page of the Identity Provider wizard.
-
Back in the Okta Portal, navigate to Security > API > Tokens > click Create Token.
-
In the window that opens, enter the token name and click Create Token.
The window shows the Token Value that you must copy, if not, you can lose it.
-
Click the icon on the right of the Token Value to copy it to the clipboard.
Best Practice - Check Point recommends that you save the Token Value in a separate, secured file to retrieve it when it is required.
-
In the Infinity Portal Identity Provider wizard, on the Set Directory Integration page, paste the Token Value into the API Token Value field.
-
To test the users and group synchronization between the Infinity Portal and the IdP, click Test Connectivity.
If the test is unsuccessful, repeat the Set Directory Integration step to configure the user and group synchronization parameters.
-
Click Next.
-
Prerequisites
-
Before you start the IdP integration, in the Infinity Portal create a user group with an Admin global role. See Users.
-
An account with administrator permissions and a SCIM provisioning subscription.
Step 1 - Configure the Directory Integration in the Infinity Portal:
-
In the Set Directory Integration step, select Automatic Sync SCIM.
-
Copy and save the SCIM API Token and URL.
-
Click Next.
-
To save, click Submit.
Step 2 - Configure the Application Integration in the Okta Admin Console:
-
Navigate to your Okta account and go to Applications.
-
In the Okta Admin Console, set up the SCIM settings.
-
From the top toolbar, select General and then select the checkbox Enable SCIM provisioning.
-
From the top toolbar, select Provisioning > Integration.
Configure the settings as follows:
-
SCIM connector base URL - Use the URL from the Infinity Portal's Set Directory Integration step.
-
Unique identifier field for users - Enter userName.
-
Supported provisioning actions - Select these checkboxes:
-
Push New Users
-
Push Profile Updates
-
Push Groups
-
-
Authentication Mode - From the down arrow, select HTTP Header and paste the API token.
-
-
-
Click Test Connector Configuration.
Important - To test connectivity, you must first complete Step 1 - Configure the Directory Integration in the Infinity Portal: in its entirety.
If the integration is configured correctly, then the Test Connector Configuration window shows Connector configured successfully.
-
From the top toolbar, select Provisioning, and below Settings select To app. And then enable each of these settings:
-
Create Users
-
Update User Attributes
-
Deactivate Users
-
-
Click Save.
Confirm Identity Provider Integration
Review the details of the SSO configuration and click Submit.
|
Note - If you selected to you use SCIM, then this step is not necessary. |
|
Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups. |