Identity Providers

In Identity & Access, add an Identity ProviderClosed A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Acronym: IdP or IDP. (IdP) to authenticate your organization's users through Single Sign-On (SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications.). In addition, the use of an Identity Provider gives you the control to set permissions and policies based on the organization's identities. When logged in to the Infinity Portal, you get access through SSO to all of the different services offered through the portal, such as Harmony Endpoint, or Quantum Smart-1 Cloud.

Note - You can set a maximum of five different Identity Providers for each account.

How to Integrate with an Identity Provider

  1. Below Identity Providers, click the plus icon. The Integration wizard opens with list of Identity Providers.

  2. For the specific Identity Provider, go to SSO Authentication Setup with Identity Provider and open the instructions.

How to Change an Identity Provider Integration

  1. In the Infinity Portal, go to > Identity & Access.

  2. On the Identity Provider (IdP) card, click .

  3. Select one of these options:

    • Edit

      The IDP INTEGRATION window opens.

      You can edit configurations in the IDP INTEGRATION window. For more information, see the configuration instructions for the Identity Provider:

      Note - When you edit an IdP configuration, remote users are disconnected after you apply the changes.

    • Test Connectivity - Tests connectivity between the IdP and Check Point SSO authentication.

    • Disable SSO login - Stops the SSO. The existing SSO authentication details stay in the system. You can start the authentication again, if necessary.

    • Remove - Deletes the existing SSO authentication details. If you configure the SSO authentication with a different SSO provider, then Infinity Portal does not keep the former provider's details.

How to Regenerate a SCIM API Token

If you configured a SCIM API token and it is expired, near its expiration date, or lost, then regenerate the token.

  1. In the Infinity Portal go to > Identity & Access.

  2. On the relevant Identity Provider (IdP) card, click .

  3. Click Edit.

    The IDP INTEGRATION window opens.

  4. Open the Set Directory Integration tab.

  5. Click Regenerate Token.

    Important - After you click Regenerate token, Infinity Portal creates a new token that overwrites the existing token.

  6. Copy and save the SCIM API Token.

  7. Copy and save the URL.

  8. In a new browser tab, open the IdP's portal. Keep the Infinity Portal open.

  9. In the IDP's portal:

    1. Paste the URL from the Infinity Portal.

    2. Paste the SCIM API Token from the Infinity Portal.

    3. Test the connectivity.

    For details, see SCIM configuration instructions for Microsoft Entra ID or for Okta.

  10. In the Infinity Portal, click Apply.

Integration Type for an Identity Provider

A unique URL is a link to a specific web address (in this case, an Infinity Portal account). This URL is unique because it includes authentication information that allows the Infinity Portal to give or deny access based on a preconfigured IdP authentication procedure. If you have multiple Infinity Portal accounts, you may want to use the same IdP for all accounts to simplify user management. Alternatively, you may select to use a unique URL for specific accounts to provide additional security or control.

  • Your IdP is associated only with one Infinity Portal account.

  • Users log in through the Infinity Portal login page.

  • Require domain validation.

Without a unique URL, to log in to the Infinity Portal, users first enter a preconfigured domain (domain verification) that has been set up by the administrator. To validate the user's credentials, the portal sends them to the configured IdP. If the IdP authenticates the user, access to the Infinity Portal is given and the user is directed to the last opened account.

If the domain is configured with more than one IdP, the portal uses an IdP discovery page to validate the user.

  • Your IdP is associated only with multiple Infinity Portal accounts, which are managed separately.

  • Users can login to the Infinity Portal with the unique URL.

Unique URL removes the domain verification requirement from mandatory to optional. In addition, the unique URL gives users a direct link to a specific Infinity Portal account. To do this, the portal uses the IdP configured for the account.

In this illustration, users click a unique URL to get access to the ACME account, https://portal.checkpoint.com/signin/ACME. The portal then validates the user through the IdP configured for the account, in this case, Okta.

In addition, Infinity Portaladministrators or account managers can select one IdP to manage multiple accounts without domain verification. For instance, in this scenario, Okta serves as the IdP for three Infinity Portal accounts labeled as "a," "b," and "c." Even though each account uses Okta as its IdP, the login URLs for each account are distinct, which means that users must access each account through its unique URL

Notes:

  • When you log in with a unique URL, the authentication is only through SSO and not as a local user (as in username and password).

  • The unique URL for the login procedure is not dependent on domain verification.

Before you start

  • Make sure that you know how to set up an identity provider in the Infinity Portal, see SSO Authentication Setup with Identity Provider.

  • To add the same domain name for a new account is not allowed. When there is no selected domain name, the user can log in only through the unique URL, see SSO Authentication Setup with Identity Provider.

  • Existing Infinity Portal users can continue to log in through the Global URL (portal.checkpoint.com) as long as there is a domain configured. Or they can use the unique URL.

  1. In the Infinity Portal, go to > Identity & Access and select an Identity Provider.

    For specific IdP instructions, see SSO Authentication Setup with Identity Provider.

  2. In Step 2 Integration Type, select Login with a unique URL.

  3. Click to copy the unique URL. Make sure to save the URL.

  4. To continue, click Next and follow the IdP Integration steps.

  1. In the Infinity Portal, go to > General.

  2. The Unique Login URL shows below the account's name.

  3. To copy the URL, click .

Configuring Directory Integration

Directory Integration lets Check Point services take information about users and groups from an Identity Provider. To configure Directory Integration, enter credentials from the Identity Provider in the Infinity Portal. After you finish configuring Directory Integration, the Identity Provider and the Check Point services synchronize. The Check Point services then pull information about users and groups from the Identity Provider.

Notes:

  • Directory Integration is available for these IdPs: Azure, Okta, and Ping Identify.

  • Before you can set up Directory Integration, you must configure the Identity Provider.

To set up Directory Integration:

  1. Navigate to > Identity & Access.

  2. Below Identity Providers, on the IdP tab, click . If the IdP is already configured, then click Next until you get to step 5 Set Directory Integration.

  3. In Set Directory Integration, enter the necessary credentials for directory synchronization to connect to the IdP.

  4. To test the connection between the IdP and the Infinity Portal, click Test Connectivity.
    If the connection test passes, then the check mark icon shows as green. If the connection test does not pass, make sure the correct credentials were entered.

  5. Click Next.

Important - For users whose IdP is integrated with the Infinity Portal, but do not want to synchronize their IdP objects to the Infinity Portal, select the checkbox I want to skip this step and use this IdP for SSO authentication only.

Testing IdP Connectivity

In addition to the test connectivity step in the IdP directory configuration, it is possible to test the IdP connectivity any time after the configuration with the Test Connectivity option. This test allows administrators to make sure that the IdP setup is correct and if any issues with the connection exist.

To test IdP connectivity:

  1. In the Infinity Portal, select > Identity & Access.

  2. Below Identity Providers, for the specific IdP click Test Connectivity.

  3. Click Run test and enter your credentials.

    A page with success or failed messages shows.