SAML Identity Provider for Identity Awareness
This section describes how to configure authentication using a 3rd party Identity Provider over the SAML protocol as an authentication method for an Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway (Captive Portal A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.) as a Service Provider.
An Identity Provider is a system entity that creates, maintains, and manages identity information and provides authentication services. A Service Provider is a system entity that provides services for users authenticated by the Identity Provider.
SAML Authentication Process Flow
In the example diagram below:
-
The service is
google.com
. -
The service provider is Identity Awareness Gateway (Captive Portal).
-
The Identity Provider is Okta.
|
|
Important - When you sign out from the Check Point service portal, it does not automatically sign out from the Identity Provider's session. |
Basic SAML Configuration for Identity Awareness
-
Configure the Identity Awareness Software Blade
-
Enable the Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. (see Getting Started with Identity Awareness).
-
Configure the Identity Awareness Captive Portal (see Configuring Browser-Based Authentication).
-
-
Configure an External User Profile object
External User Profile represents all the users authenticated by the Identity Provider.
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Manage & Settings > Blades.
-
In the Mobile Access section, click Configure in SmartDashboard.
-
In the bottom left pane, click Users.
-
In the bottom left pane, right click on an empty space below the last folder in the pane and select New > External User Profile > Match all users.
-
Configure the External User Profile properties:
-
On the General Properties page:
In the External User Profile name field, leave the default name generic*.
In the Expiration Date field, set the applicable date.
-
On the Authentication page:
From the Authentication Scheme drop-down list, select and configure the applicable option.
-
On the Location, Time, and Encryption pages, configure other applicable settings.
-
Click OK.
-
-
From the top toolbar, click Update (or press Ctrl + S).
-
Close SmartDashboard.
-
In SmartConsole, install the Access Control Policy.
Note - It is not mandatory to install policy at the end of this step.
-
-
Configure an Identity Provider object
-
In SmartConsole, from the Gateways & Servers view click New > More > User/Identity > Identity Provider.
A New Identity Provider window opens:
-
In the New Identity Provider window, in the Data required by the SAML Identity Provider section, configure these settings:
-
In the Gateway field, select the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., which needs to perform the SAML authentication.
-
In the Service field, select Identity Awareness.
SmartConsole automatically generates the data in these fields based on the previous two fields:
-
Identifier (Entity ID) – This is a URL that uniquely identifies a service provider (the Security Gateway, in our case)
-
Reply URL – This is a URL, to which the SAML assertions are sent
-
-
Configure SAML Application on an Identity Provider website.
Important:
-
Do not close the New Identity Provider window while you configure the SAML application in your Identity Provider’s website. You continue the configuration later with the information you receive from the Identity Provider.
-
Follow the Identity Provider's instructions.
-
You must provide the values from the New Identity Provider window from the Identifier (Entity ID) and the Reply URL fields.
Copy these values from SmartConsole and paste them in the corresponding fields on the Identity Provider's website.
Note - The exact names of the target fields on the Identity Provider's website might differ between Identity Providers.
-
Make sure to configure the Identity Provider to send the authenticated username in the email format (
alias@domain
). -
Optional: If you wish to receive the Identity Provider's groups, in which the user is defined, make sure to configure the Identity Provider to send the group names as values of the attribute called group_attr.
Note - When the user logs in to Azure Active Directory, PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. returns a username that is an email address, and no groups.
You must replace the userLoginAttr with email:
-
Do this:
-
Go to Edit > network objects and select the Gateway object.
-
Go to realms_for_blades > identity_portal, select userLoginAttr and replace it with email.
-
-
If you want PDP to return user groups, the Active Directory user must use the Azure username as an email address.
-
-
Make sure that at the end of the configuration process you get this information from the Identity Provider:
-
Entity ID - a URL that uniquely identifies the application
-
Login URL - a URL to access the application
-
Certificate – for validation of the data exchanged between the Security Gateway and the Identity Provider
Note - Some Identity Providers supply a metadata XML file, which contains this information.
-
-
-
In the New Identity Provider window, in the Data received from the SAML Identity Provider section, configure one of these settings:
-
Select Import the Metadata File to upload the metadata file supplied by the Identity Provider.
-
Select Insert Manually to paste manually the Entity ID and Login URL into the corresponding fields, and to upload the Certificate File. All these are supplied by the Identity Provider.
-
Note - Identity Provider object in SmartConsole does not support the import of RAW Certificate.
Important - If later you change the settings of the Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. in the Identity Awareness Gateway object, then you must update the applicable settings in the SAML application on the Identity Provider's website.
-
-
Configure the Identity Provider as an authentication method
To use the SAML Identity Provider object as an authentication method, you must configure the authentication settings for the Identity Awareness:
-
In SmartConsole, click the Gateways & Servers panel.
-
Open the Security Gateway object.
-
From the left tree, click Identity Awareness.
-
Near the Browser-Based Authentication, click Settings.
-
In the Authentication Settings section, click Edit.
-
In the Authentication Method section, select Identity Provider.
-
Click the green [+] button and select the SAML Identity Provider object.
Example:
-
Click OK.
Notes:
-
If you configure only one Identity Provider object, the end user is redirected to that Identity Provider's portal.
-
If you configure more than one Identity Provider object, the end user is asked to choose the Identity Provider for authentication.
-
-
Optional: Configure group authorizationPart A - Configuring
For each group configured in your SAML application, you must create an equivalent Identity Tag object in SmartConsole.
The value of the Identity Tag must be identical to the value of the provided group or to the Object ID.
Note - If you use Azure AD, you must create the Identity Tag in SmartConsole by the Azure AD Group Object ID and not by the User Group name:
-
Open your Azure AD.
-
Go to the User Group you created in Azure.
-
Copy the Object ID and paste it in the Identity Tag > External Identifier field in SmartConsole.
For more information, see Using Identity Tags in Access Role Matching.
Part B - Configuring group authorization behaviorImportant - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.
A Security Gateway can authorize groups in different ways.
Authorization can refer to two types of groups:
-
Identity Provider groups - these are groups the Identity Provider sends
-
Internal groups - these are groups received from User Directories configured in SmartConsole
Available options to configure the authorization behavior:
Note - This configuration is for each Realm.
You can view and change the authorization behavior on the Security Gateway.
Viewing the configured authorization behaviorYou see the configured behavior in one of these ways:
-
On the Identity Awareness Gateway / each Cluster Member Security Gateway that is part of a cluster., examine the applicable value in Check Point Registry in the Expert mode:
ckp_regedit -p SOFTWARE/Checkpoint/Ex_Groups "<Realm Name>"
-
On the Identity Awareness Gateway / each Cluster Member (in the Expert mode or Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).):
pdp idp groups status
Configuring the authorization behaviorYou can set the behavior in one of these ways:
-
On the Identity Awareness Gateway / each Cluster Member, change the applicable value in Check Point Registry in the Expert mode:
ckp_regedit -a SOFTWARE/Checkpoint/Ex_Groups "<Realm Name>" -n {0 | 1 | 2 | 3}
-
On the Identity Awareness Gateway / each Cluster Member (in the Expert mode or Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish):
pdp idp groups set {only | prefer | union | ignore}
Notes:
-
Make sure SAML directory and the applicable User Directory Check Point Software Blade on a Management Server that integrates LDAP and other external user management servers with Check Point products and security solutions. can synchronize with each other.
-
Make sure that the LDAP lookup type of the applicable realm is set to "
mail
".
-
-
Install the Access Control Policy
-
In SmartConsole, click Install Policy.
-
Select the applicable policy.
-
Select Access Control.
-
Click Install.
-
|
Important - Before you use SAML configuration, make sure that your Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. allows access to the 3rd party Identity Provider web sites. |
Advanced SAML Configuration for Identity Awareness
Starting from R81.20 Jumbo Hotfix Accumulator Take 89, you can configure these advanced SAML features:
-
Request Signing: Verifies authenticity of SAML requests.
-
Assertion Decryption: Protects confidentiality of user attributes.
-
Forced Re-authentication: Enables mandatory login for each session.
For configuration instructions, refer to sk182042.