SAML Identity Provider for Identity Awareness

This section describes how to configure authentication using a 3rd party Identity Provider over the SAML protocol as an authentication method for an Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.Gateway (Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication.) as a Service Provider.

An Identity Provider is a system entity that creates, maintains, and manages identity information and provides authentication services. A Service Provider is a system entity that provides services for users authenticated by the Identity Provider.

SAML Authentication Process Flow

In the example diagram below:

  • The service is google.com.

  • The service provider is Identity Awareness Gateway (Captive Portal).

  • The Identity Provider is Okta.

  1. An end-user asks for a service through the client browser.

    In our example - the end user enters google.com in the browser address bar.

  2. The Identity Awareness Gateway opens its Captive Portal.

  3. The Identity Awareness Gateway redirects the end-user browser to the 3rd party Identity Provider portal to acquire the end user's identity.

    In our example - Okta.

  4. The Identity Provider portal opens, and the end-user authenticates.

    In our example - Okta portal.

    The Identity Provider generates a digitally-signed SAML assertion and sends it back to the end-user browser.

  5. The end-user browser forwards the SAML assertion to the Identity Awareness Gateway.

  6. The Identity Awareness Gateway validates the SAML assertion and provides the end user with the requested service.

    In our example - google.com opens in the end-user browser.

Important - When you sign out from the Check Point service portal, it does not automatically sign out from the Identity Provider's session.

SAML Configuration Procedure

    1. Enable the Identity Awareness Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. (see Getting Started with Identity Awareness).

    2. Configure the Identity Awareness Captive Portal (see Configuring Browser-Based Authentication).

  2. External User Profile represents all the users authenticated by the Identity Provider.

    1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Manage & Settings > Blades.

    2. In the Mobile Access section, click Configure in SmartDashboard.

      Legacy SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. opens.

    3. In the bottom left pane, click Users.

    4. In the bottom left pane, right click on an empty space below the last folder in the pane and select New > External User Profile > Match all users.

    5. Configure the External User Profile properties:

      1. On the General Properties page:

        In the External User Profile name field, leave the default name generic*.

        In the Expiration Date field, set the applicable date.

      2. On the Authentication page:

        From the Authentication Scheme drop-down list, select and configure the applicable option.

      3. On the Location, Time, and Encryption pages, configure other applicable settings.

      4. Click OK.

    6. From the top toolbar, click Update (or press Ctrl + S).

    7. Close SmartDashboard.

    8. In SmartConsole, install the Access Control Policy.

    Note - It is not mandatory to install policy at the end of this step.

    1. In SmartConsole, from the Gateways & Servers view click New > More > User/Identity > Identity Provider.

      A New Identity Provider window opens:

    2. In the New Identity Provider window, in the Data required by the SAML Identity Provider section, configure these settings:

      SmartConsole automatically generates the data in these fields based on the previous two fields:

      • Identifier (Entity ID) – This is a URL that uniquely identifies a service provider (the Security Gateway, in our case)

      • Reply URL – This is a URL, to which the SAML assertions are sent

    3. Configure SAML Application on an Identity Provider website.

      Important:

      • Do not close the New Identity Provider window while you configure the SAML application in your Identity Provider’s website. You continue the configuration later with the information you receive from the Identity Provider.

      • Follow the Identity Provider's instructions.

      • You must provide the values from the New Identity Provider window from the Identifier (Entity ID) and the Reply URL fields.

        Copy these values from SmartConsole and paste them in the corresponding fields on the Identity Provider's website.

        Note - The exact names of the target fields on the Identity Provider's website might differ between Identity Providers.

      • Make sure to configure the Identity Provider to send the authenticated username in the email format (alias@domain).

      • Optional: If you wish to receive the Identity Provider's groups, in which the user is defined, make sure to configure the Identity Provider to send the group names as values of the attribute called group_attr.

        Note - When the user logs in to Azure Active Directory, PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. returns a username that is an email address, and no groups.

        You must replace the userLoginAttr with email:

        • Do this:

          1. Go to Edit > network objects and select the Gateway object.

          2. Go to realms_for_blades > identity_portal, select userLoginAttr and replace it with email.

        • If you want PDP to return user groups, the Active Directory user must use the Azure username as an email address.

      • Make sure that at the end of the configuration process you get this information from the Identity Provider:

        • Entity ID - a URL that uniquely identifies the application

        • Login URL - a URL to access the application

        • Certificate – for validation of the data exchanged between the Security Gateway and the Identity Provider

        Note - Some Identity Providers supply a metadata XML file, which contains this information.

    4. In the New Identity Provider window, in the Data received from the SAML Identity Provider section, configure one of these settings:

      • Select Import the Metadata File to upload the metadata file supplied by the Identity Provider.

      • Select Insert Manually to paste manually the Entity ID and Login URL into the corresponding fields, and to upload the Certificate File. All these are supplied by the Identity Provider.

    Note - Identity Provider object in SmartConsole does not support the import of RAW Certificate.

    Important - If later you change the settings of the Browser-Based AuthenticationClosed Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. in the Identity Awareness Gateway object, then you must update the applicable settings in the SAML application on the Identity Provider's website.

  4. To use the SAML Identity Provider object as an authentication method, you must configure the authentication settings for the Identity Awareness:

    1. In SmartConsole, click the Gateways & Servers panel.

    2. Open the Security Gateway object.

    3. From the left tree, click Identity Awareness.

    4. Near the Browser-Based Authentication, click Settings.

    5. In the Authentication Settings section, click Edit.

    6. In the Authentication Method section, select Identity Provider.

    7. Click the green [+] button and select the SAML Identity Provider object.

      Example:

    8. Click OK.

    Notes:

    • If you configure only one Identity Provider object, the end user is redirected to that Identity Provider's portal.

    • If you configure more than one Identity Provider object, the end user is asked to choose the Identity Provider for authentication.

    1. In SmartConsole, from the Gateways & Servers view click New > More > User/Identity > Identity Provider.

      A New Identity Provider window opens:

    2. In the New Identity Provider window, in the Data required by the SAML Identity Provider section, configure these settings:

      • In the Gateway field, select the Security Gateway, which needs to perform the SAML authentication.

      • In the Service field, select Identity Awareness.

      SmartConsole automatically generates the data in these fields based on the previous two fields:

      • Identifier (Entity ID) – This is a URL that uniquely identifies a service provider (the Security Gateway, in our case)

      • Reply URL – This is a URL, to which the SAML assertions are sent

    3. Configure SAML Application on an Identity Provider website.

      Important:

      • Do not close the New Identity Provider window while you configure the SAML application in your Identity Provider’s website. You continue the configuration later with the information you receive from the Identity Provider.

      • Follow the Identity Provider's instructions.

      • You must provide the values from the New Identity Provider window from the Identifier (Entity ID) and the Reply URL fields.

        Copy these values from SmartConsole and paste them in the corresponding fields on the Identity Provider's website.

        Note - The exact names of the target fields on the Identity Provider's website might differ between Identity Providers.

      • Make sure to configure the Identity Provider to send the authenticated username in the email format (alias@domain).

      • Optional: If you wish to receive the Identity Provider's groups, in which the user is defined, make sure to configure the Identity Provider to send the group names as values of the attribute called group_attr.

        Note - When the user logs in to Azure Active Directory, PDP returns a username that is an email address, and no groups.

        You must replace the userLoginAttr with email:

        • Do this:

          1. Go to Edit > network objects and select the Gateway object.

          2. Go to realms_for_blades > identity_portal, select userLoginAttr and replace it with email.

        • If you want PDP to return user groups, the Active Directory user must use the Azure username as an email address.

      • Make sure that at the end of the configuration process you get this information from the Identity Provider:

        • Entity ID - a URL that uniquely identifies the application

        • Login URL - a URL to access the application

        • Certificate – for validation of the data exchanged between the Security Gateway and the Identity Provider

        Note - Some Identity Providers supply a metadata XML file, which contains this information.

    4. In the New Identity Provider window, in the Data received from the SAML Identity Provider section, configure one of these settings:

      • Select Import the Metadata File to upload the metadata file supplied by the Identity Provider.

      • Select Insert Manually to paste manually the Entity ID and Login URL into the corresponding fields, and to upload the Certificate File. All these are supplied by the Identity Provider.

    Note - Identity Provider object in SmartConsole does not support the import of RAW Certificate.

    Important - If later you change the settings of the Browser-Based Authentication in the Identity Awareness Gateway object, then you must update the applicable settings in the SAML application on the Identity Provider's website.

    For more information, see Using Identity Tags in Access Role Matching.

    Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

    A Security Gateway can authorize groups in different ways.

    Authorization can refer to two types of groups:

    • Identity Provider groups - these are groups the Identity Provider sends

    • Internal groups - these are groups received from User Directories configured in SmartConsole

    Available options to configure the authorization behavior:

    Option Name

    Numerical Value

    Authorization Behavior on Security Gateway

    Only SAML Groups

    0

    Consider only Identity Provider groups.

    Ignore internal groups.

    Prefer SAML Groups

    1

    This is the default.

    Prefer Identity Provider groups.

    If there are no external groups in the Identity Provider, use Ignore SAML Groups option.

    Union with SAML Groups

    2

    Consider both internal groups and Identity Provider groups.

    Ignore SAML Groups

    3

    Consider only internal groups.

    Ignore Identity Provider groups.

    Note - This configuration is for each Realm.

    You can view and change the authorization behavior on the Security Gateway.

    You see the configured behavior in one of these ways:

    You can set the behavior in one of these ways:

    Notes:

    1. In SmartConsole, click Install Policy.

    2. Select the applicable policy.

    3. Select Access Control.

    4. Click Install.

Important - Before you use SAML configuration, make sure that your Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. allows access to the 3rd party Identity Provider web sites.