SAML Identity Provider for Mobile Access

This section describes how to configure authentication using a 3rd party Identity Provider over the SAML protocol as an authentication method for Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Gateway and Mobile Access Portal as service providers.

Identity Provider is a system entity that creates, maintains, and manages identity information and provides authentication services. Service Provider is a system entity that provides services for users authenticated by the Identity Provider.

SAML Authentication Process Flow

In the example diagram below:

  • The service provider is Mobile Access Gateway and Mobile Access Portal

  • The Identity Provider is Okta.

  1. An end-user browses to the URL of the Mobile Access Gateway.

  2. The Mobile Access Gateway opens its login page.

  3. The Mobile Access Gateway redirects the end-user browser to the 3rd-party Identity Provider portal to acquire the end user's identity.

    In our example - Okta.

  4. The Identity Provider portal opens, and the end-user authenticates.

    In our example - Okta portal.

    The Identity Provider generates a digitally-signed SAML assertion and sends it back to the end-user browser.

  5. The end-user browser forwards the SAML assertion to the Mobile Access Gateway.

  6. The Mobile Access Gateway validates the SAML assertion and redirects the end user to the Mobile Access Portal. The end user can access internal resources from the Mobile Access Portal.

Important - When you sign out from the Check Point service portal, it does not automatically sign out from the Identity Provider's session.

SAML Configuration Procedure

    1. Enable the Mobile Access Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. (see Getting Started with Mobile Access).

    2. Configure the Mobile Access Portal (see The New Mobile Access Portal).

  2. External User Profile represents all the users authenticated by the Identity Provider.

    1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Manage & Settings > Blades.

    2. In the Mobile Access section, click Configure in SmartDashboard.

      Legacy SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens.

    3. In the bottom left pane, click Users.

    4. In the bottom left pane, right click on an empty space below the last folder in the pane and select New > External User Profile > Match all users.

    5. Configure the External User Profile properties:

      1. On the General Properties page:

        In the External User Profile name field, leave the default name generic*.

        In the Expiration Date field, set the applicable date.

      2. On the Authentication page:

        From the Authentication Scheme drop-down list, select and configure the applicable option.

      3. On the Location, Time, and Encryption pages, configure other applicable settings.

      4. Click OK.

    6. From the top toolbar, click Update (or press Ctrl + S).

    7. Close SmartDashboard.

    8. In SmartConsole, install the Access Control Policy.

    Note - It is not mandatory to install policy at the end of this step.

    1. In SmartConsole, from the Gateways & Servers view click New > More > User/Identity > Identity Provider.

      A New Identity Provider window opens:

    2. In the New Identity Provider window, in the Data required by the SAML Identity Provider section, configure these settings:

      SmartConsole automatically generates the data in these fields based on the previous two fields:

      • Identifier (Entity ID) – This is a URL that uniquely identifies a service provider (the Security Gateway, in our case)

      • Reply URL – This is a URL, to which the SAML assertions are sent

    3. Configure SAML Application on an Identity Provider website.

      Important:

      • Do not close the New Identity Provider window while you configure the SAML application in your Identity Provider’s website. You continue the configuration later with the information you receive from the Identity Provider.

      • Follow the Identity Provider's instructions.

      • You must provide the values from the New Identity Provider window from the Identifier (Entity ID) and the Reply URL fields.

        Copy these values from SmartConsole and paste them in the corresponding fields on the Identity Provider's website.

        Note - The exact names of the target fields on the Identity Provider's website might differ between Identity Providers.

      • Make sure to configure the Identity Provider to send the authenticated username in the email format (alias@domain).

      • Optional: If you wish to receive the Identity Provider's groups, in which the user is defined, make sure to configure the Identity Provider to send the group names as values of the attribute called group_attr.

      • Make sure that at the end of the configuration process you get this information from the Identity Provider:

        • Entity ID - a URL that uniquely identifies the application

        • Login URL - a URL to access the application

        • Certificate – for validation of the data exchanged between the Security Gateway and the Identity Provider

        Note - Some Identity Providers supply a metadata XML file, which contains this information.

    4. In the New Identity Provider window, in the Data received from the SAML Identity Provider section, configure one of these settings:

      • Select Import the Metadata File to upload the metadata file supplied by the Identity Provider.

      • Select Insert Manually to paste manually the Entity ID and Login URL into the corresponding fields, and to upload the Certificate File. All these are supplied by the Identity Provider.

    Note - Identity Provider object in SmartConsole does not support the import of RAW Certificate.

    Important - If later you change the settings of the Mobile Access Portal settings in the Mobile Access Gateway object, then you must update the applicable settings in the SAML application on the Identity Provider's website.

  4. To use the SAML Identity Provider object as an authentication method, you must configure the authentication settings.

    1. In SmartConsole, click the Gateways & Servers panel.

    2. Open the Security Gateway object.

    3. From the left tree click Mobile Access > Authentication.

    4. In the Multiple Authentication Client Settings section, click Add to add a new Realm object.

    5. On the Login Option pane, in the Usage in Gateway section, clear the box Use in Capsule Workspace.

    6. On the Login Option pane, in the Authentication Methods section, click Add.

    7. Select Identity Provider.

    8. Click the green [+] button and select the SAML Identity Provider object.

      Notes:

      • Only one Identity Provider object is supported for each Realm.

      • Identity Provider must be the only authentication method configured for that Realm.

      Example:

    9. Click OK.

  5. For each group configured in your SAML application, you must create an equivalent Identity Tag object in SmartConsole.

    The value of the Identity Tag must be identical to the value of the provided group or to the Object ID.

    Note - If you use Azure AD, you must create the Identity Tag in SmartConsole by the Azure AD Group Object ID and not by the User Group name:

    1. Open your Azure AD.

    2. Go to the User Group you created in Azure.

    3. Copy the Object ID and paste it in the Identity Tag > External Identifier field in SmartConsole.

    Important - If you use Mobile Access in Legacy mode, for each group configured in your SAML application instead of the Identity Tag you must create an equivalent User Group object in SmartConsole.

    1. In the top left corner, click Objects > Object Explorer.

      The Object Explorer window opens.

    2. In the left navigation tree, click Users/Identity.

    3. From the toolbar, click New > User > User Group.

    4. Create a User Group object.

      Note - The name of the User Group object must be identical to the provided group name.

    5. Click OK.

    6. Close the Object Explorer window.

    Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

    A Security Gateway can authorize groups in different ways.

    Authorization can refer to two types of groups:

    • Identity Provider groups - these are groups the Identity Provider sends

    • Internal groups - these are groups received from User Directories configured in SmartConsole

    Available options to configure the authorization behavior:

    Option Name

    Numerical Value

    Authorization Behavior on Security Gateway

    Only SAML Groups

    0

    Consider only Identity Provider groups.

    Ignore internal groups.

    Prefer SAML Groups

    1

    This is the default.

    Prefer Identity Provider groups.

    If there are no external groups in the Identity Provider, use Ignore SAML Groups option.

    Union with SAML Groups

    2

    Consider both internal groups and Identity Provider groups.

    Ignore SAML Groups

    3

    Consider only internal groups.

    Ignore Identity Provider groups.

    Note - This configuration is for each Realm.

    You can view and change the authorization behavior on the Security Gateway.

    On the Mobile Access Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster., examine the applicable value in Check Point Registry in the Expert mode:

    ckp_regedit -p SOFTWARE/Checkpoint/Ex_Groups "<Realm Name>"

    On the Mobile Access Gateway / each Cluster Member, change the applicable value in Check Point Registry in the Expert mode:

    ckp_regedit -a SOFTWARE/Checkpoint/Ex_Groups "<Realm Name>" -n {0 | 1 | 2 | 3}

    Notes:

    1. In SmartConsole, click Install Policy.

    2. Select the applicable policy.

    3. Select Access Control.

    4. Click Install.

Important - Before you use SAML configuration, make sure that your Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. allows access to the 3rd party Identity Provider web sites.