SAML Identity Provider for Identity Awareness

This section describes how to configure authentication using a 3rd party Identity Provider over the SAML protocol as an authentication method for an Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Gateway (Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.) as a Service Provider.

An Identity Provider is a system entity that creates, maintains, and manages identity information and provides authentication services. A Service Provider is a system entity that provides services for users authenticated by the Identity Provider.

SAML Authentication Process Flow

In the example diagram below:

  • The service is google.com.

  • The service provider is Identity Awareness Gateway (Captive Portal).

  • The Identity Provider is Okta.

  1. An end-user asks for a service through the client browser.

    In our example - the end user enters google.com in the browser address bar.

  2. The Identity Awareness Gateway opens its Captive Portal.

  3. The Identity Awareness Gateway redirects the end-user browser to the 3rd party Identity Provider portal to acquire the end user's identity.

    In our example - Okta.

  4. The Identity Provider portal opens, and the end-user authenticates.

    In our example - Okta portal.

    The Identity Provider generates a digitally-signed SAML assertion and sends it back to the end-user browser.

  5. The end-user browser forwards the SAML assertion to the Identity Awareness Gateway.

  6. The Identity Awareness Gateway validates the SAML assertion and provides the end user with the requested service.

    In our example - google.com opens in the end-user browser.

Important - When you sign out from the Check Point service portal, it does not automatically sign out from the Identity Provider's session.

Basic SAML Configuration for Identity Awareness

Important - Before you use SAML configuration, make sure that your Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. allows access to the 3rd party Identity Provider web sites.

Advanced SAML Configuration for Identity Awareness

Starting from R81.20 Jumbo Hotfix Accumulator Take 89, you can configure these advanced SAML features:

  • Request Signing: Verifies authenticity of SAML requests.

  • Assertion Decryption: Protects confidentiality of user attributes.

  • Forced Re-authentication: Enables mandatory login for each session.

For configuration instructions, refer to sk182042.