Creating an Administrator Account with SAML Authentication Login

With SAML authentication, administrators log in to SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. through a central 3rd party Identity Provider with the SAML protocol. The Identity Provider holds the information about the administrators, including the ability to authenticate the administrators. Check Point supports these Identity Providers: Okta, Ping Identity, Azure.

Use Case

Administrators with accounts in Azure want to work with SmartConsole. If each administrator uses two different administrator names and passwords, one for Azure and one for SmartConsole, this causes a number of issues:

  • The administrators must handle different password and expiration policies (in addition to other corporate passwords).

  • The administrators must remember two different passwords, one for Azure and one for SmartConsole (in addition to other corporate passwords).

  • It requires additional maintenance of the administrators. For example, when an administrator leaves, you must remove them from all applications they are registered to. If you use an Identity Provider, you simply need to remove the administrator from the Identity Provider database.

Therefore, the organization prefers that each administrator uses one password for both Azure and SmartConsole. With the Identity Provider, the administrator can authenticate once to Azure, and when the administrator connects to SmartConsole, SmartConsole already recognizes them and they do not have to enter another password. This way, the administrator also does not reveal their password to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

SAML Authentication Process Flow:

  1. The administrator tries to log in to SmartConsole.

  2. SmartConsole redirects the administrator back to the browser to a URL which is pre-configured on the Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  3. The Security Management Server redirects the browser with a SAML request to the Identity Provider.

  4. The Identity Provider authenticates the administrator.

  5. The Identity Provider generates a SAML assertion and sends it back to the Security Management Server through the browser.

  6. The Security Management Server validates the SAML assertion.

  7. If the administrator is authenticated, the Security Management Server redirects the browser to SmartConsole with the necessary data required for authentication.

  8. SmartConsole opens a session to the Security Management Server with this authentication data.

SAML Authentication Login

Note - SAML authentication for SmartConsole login requires Gaia PortalClosed Web interface for the Check Point Gaia operating system. on the Management Server to work on the TCP port 443. See sk182032.

  1. In SmartConsole, go to the Manage & Settings view > Permissions & Administrators > Advanced > Identity Provider > Identity Provider for Managing Administrator Access > Select the Identity Provider object that you created.

  2. There are two ways to log in to SmartConsole with Identity Provider.

After you configure SAML authentication, you can, in addition, configure authentication with a certificate file. The administrator can then authenticate to SmartConsole with the SAML Identity Provider or the certificate file.

You create the certificate file in SmartConsole. The administrator can use the certificate to log in to SmartConsole in two ways:

  • Log in to SmartConsole with the Certificate File option. The administrator must provide the password to use the certificate file.

  • You can import the certificate file to the Windows Certificate Store on the Microsoft Windows SmartConsole computer. The administrator can use this stored certificate to log in to SmartConsole with the CAPI Certificate option. The administrator does not need to provide a password to log in.

The administrator can also give the certificate to other administrators to log in to SmartConsole with no administrator account of their own.