OneLogin
Use these steps to configure the SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. authentication with OneLogin.
-
In the Infinity Portal go to > Identity & Access > click the plus icon.
-
Enter a name for the Integration Title and select OneLogin.
-
Click Next.
In this step, you can configure SSO authentication for Infinity Portal administrators and for end users of Check Point services.
-
Select Enable Administrators to log in to the portal using this IdP.
-
Select one of these options:
-
One organizational account - Infinity Portal Administrators can log into this Infinity Portal account with SSO from the Identity Provider A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Acronym: IdP or IDP.. Administrators log in through the Infinity Portal login page.
-
One or more organizational accounts - Infinity Portal Administrators can log in with SSO from the Identity Provider for multiple Infinity Portal accounts. Administrators log in through the URL that shows in the box.
-
-
Do one of these actions:
-
Continue to the Service(s) Integration section.
-
Click Next / Apply to complete the Integration Type configuration.
-
-
In the Service(s) Integration section, select one of these options:
-
No Services - There is no SSO authentication from the Identity Provider for end users of Check Point services. This is the default configuration.
-
All Services - End users can log in with SSO from the Identity Provider for all Check Point services that support SSO.
-
Specific Service(s) - A list of services opens. Select service(s) for which you want end users to log in with SSO from the Identity Provider. Available services:
-
Harmony Connect
-
Quantum Gateways
-
-
-
Click Next / Apply to complete the Integration Type configuration.
|
Note - If you select One of more organizational accounts, this step is not necessary. |
-
The DNS record generates. Click to copy the generated DNS record value.
-
Enter this generated DNS record to your DNS server as a TXT record.
-
Below Domain(s), enter your organization's domain and click the plus icon.
Check Point makes a DNS query to verify your domain configuration.
-
Click Next.
Note - Wait until the DNS record is propagated and can be resolved.
-
Log in to your OneLogin account and select Administration to set to admin mode.
-
Below the Applications tab, select Application and click Add App.
-
In the search box, select SAML Test Connector (Advanced).
-
In the info tab, enter:
Display Name - Check Point Infinity Portal.
-
Click Save.
-
On the Allow Connectivity page, copy the Entity ID and the Reply URL.
-
Complete the Settings for the OneLogin application. Go to the Configuration tab and enter this information:
-
Audience (EntityID) - The Entity ID you copied in the Check Point Infinity Portal,
-
ACS (Consumer) URL* - The Reply URL you copied in the Check Point Infinity Portal,
-
ACS (Consumer) URL Validator* - The Reply URL domain with backslashes. For example,
https:\/\/cloudinfra-gw.portal.checkpoint.com\/
-
-
Click Save.
-
Go to the Check Point Infinity Portal. On the Allow Connectivity page, click Next.
IdP Initiated lets you connect directly to Infinity Portal from your OneLogin Admin Console. To do this, you must create an Infinity Portal app card in your OneLogin Admin Console. See the OneLogin documentation.
Step 1: In Infinity Portal, enable IdP Initiated flow:
-
In the Infinity Portal > IdP Integration Allow Connectivity step, select the checkbox Enable IDP initiated flow.
The Relay State field appears.
Step 2: In your OneLogin account, configure the IdP Settings:
-
Navigate to your OneLogin Admin Console.
-
Click Applications.
-
Open the application object for the SAML Security Assertion Markup Language. An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. connection to Infinity Portal.
-
From the left toolbar, click Configuration.
-
In the Relay State field, enter the Relay State from Infinity Portal
-
Click Save.
|
Important - Before you can test the connectivity between Google Workspace and Infinity Portal, you must complete all of the IdP integration steps in the Infinity Portal. |
-
In the OneLogin Portal, go to the Parameters tab and click Add parameter (+) to enter each value.
-
Field Name - groups
-
Select Include in SAML assertion.
-
Click Save.
-
Value - User Roles
-
Click Save.
-
-
Field Name - firstName
-
Select Include in SAML assertion.
-
Click Save.
-
Value - First Name
-
Click Save.
-
-
Field Name - lastName.
-
Select Include in SAML assertion.
-
Click Save.
-
Value - Last Name.
-
Click Save.
-
-
Field Name - email
-
Select Include in SAML assertion.
-
Click Save.
-
Value - Email
-
Click Save.
-
-
Field Name - userId
-
Select Include in SAML assertion.
-
Click Save.
-
Value - Id
-
Click Save.
-
-
-
Click Save
-
Go to Users > Roles, and click New Role to create user roles (groups).
-
Enter the role name and click Save.
-
Click the newly created role to edit:
-
In the Applications tab, click (+), and add Check Point Infinity Portal application. Click Save.
-
Go to the Users tab to add users.
In Check existing or add new users to this role, search for applicable users by their names, and click Check.
-
-
For each selected user, click Add To Role.
-
The users show in Users Added Manually.
-
Click Save.
-
Go to the Check Point Infinity Portal application and make sure the users are added.
Note - Copy the name of the assigned group for use with the Check Point Infinity Portal User group IdP ID field.
-
On the Configure Metadata page, download the Federation Metadata XML from the OneLogin Portal:
-
In your application, go to the Configuration tab > More Actions > SAML Metadata.
The file downloads.
-
Upload the file to the Configure Metadata page in the Identity Provider Wizard.
Note - Check Point uses the service URL and the name of your Certificate to identify your users behind the sites.
-
-
Click Next.
Check Point verifies the metadata of your Identity Provider.
To use OneLogin for SSO authentication only, select the checkbox I want to skip this step and use this IdP for SSO authentication only.
Directory Integration pulls information about users and groups for the services you selected in the Integration Type step > Service(s) Integration section. Directory Integration does not apply to Users and User Groups in the Infinity Portal.
|
Important - After you create a Directory Integration, you cannot change it. To create a different Directory Integration, you must create a new Identity Provider (IdP) Integration. |
Directory Integration allows Check Point services to query for any change in OneLogin users and groups. The Infinity Portal pulls all users and groups from OneLogin.
-
In OneLogin, log in to your admin account.
-
From the menu bar, click Developers > API Credentials.
The API Access page opens.
-
Click New Credential.
The Create new API credential window opens.
-
Enter a name for the new API credential.
-
Select Read all.
-
Click Save.
A window with the client credentials opens.
-
Copy these values to a separate file:
-
Client ID
-
Client Secret
Best Practice - Check Point recommends that you save the Token Value in a separate, secured file to retrieve it when necessary.
-
-
In the Infinity Portal IdP wizard, do these steps:
-
Go to the Set Directory Integration page.
-
In the Client ID field, paste the Client ID you copied from OneLogin.
-
In the Client Secret field, paste the Client Secret you copied from OneLogin.
-
In the Sub Domain field, paste the part of the URL for your OneLogin account that comes before ".onelogin.com".
Example: the Sub Domain for
theGreatCompany.onelogin.com
is "theGreatCompany".
-
-
To test the users and group synchronization between the Infinity Portal and the IdP, click Test Connectivity.
If the test is unsuccessful, repeat the Set Directory Integration step to configure the user and group synchronization parameters.
-
Click Next.
-
In a first time configuration of OneLogin as an Identity Provider > Set Directory Integration step, select I want to skip this step and use this IdP for SSO authentication only.
-
Click Next.
Review the details of the SSO configuration and click Submit.
|
Important - Create a user group with the applicable roles and assign it to the related IdP group name or ID. This depends on the applicable identity provider before you log out. For more information, see User Groups. |