SAML Support for Remote Access VPN

You can configure Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. to recognize identities from a cloud-based SAMLIdentity Provider.

This feature is supported starting from R81 Jumbo Hotfix Accumulator Take 42.

This feature is supported starting from R81 SmartConsole Releases Build 553.

Requirements

These are the required versions of products to use this feature with an R81 Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

Product

Requirement

Management Server

R81 with the R81 Jumbo Hotfix Accumulator, Take 42 or higher

SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

R81 SmartConsole Releases - Build 553 or higher

Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

R81 with the R81 Jumbo Hotfix Accumulator, Take 42 or higher

Important - To use the feature with at least one Security Gateway of version R81.10 and lower, you must download a script to the Management Server. See Step 4: Configure the Identity Provider as an Authentication Method.

Endpoint Security Client

  • Endpoint Security Client for Windows - version E84.70 build 986102705 or higher

  • Endpoint Security Client for macOS - version E85.30 or higher

Important - To see the lowest Endpoint Security Client version that your Security Gateway supports, see the R81 Release Notes > Chapter "Supported Clients and Agents".

Configuration

Procedure

Known Limitations

  • This feature supports only IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. clients.

  • All Remote Access VPN users and endpoint computers must be configured in an Identity Provider for authentication.

    This applies to managed endpoint computers and non-managed endpoint computers.

  • In the SAML-based authentication flow, the Identity Provider issues the SAML ticket after one or multiple verification activities.

  • Quantum Spark Appliances with Gaia Embedded OS are not supported.

  • SAML authentication cannot be configured with more authentication factors in the same login option.

    The Machine Certificate Authentication option is supported.

    To use Multiple Factor Authentication, configure the external Identity Provider to have multiple verification steps.

    The complexity and number of verification activities depends on the configuration of the Identity Provider.

  • For Windows and macOS endpoint computers or appliances (managed and non-managed), Check Point Remote Access VPN client must be installed.

  • In the security Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase., you can only enforce identities received from remote access SAML authentication at the VPN termination point.

  • Connecting from a CLI to a realm with Identity Provider is not supported.

  • Remote Access VPN client for ATMs is not supported.

  • Secure Domain Logon (SDL) with Identity Provider is not supported.

  • Identity Tags are not supported for Remote Access VPN connections.