Configuring a Centralized Identity Provider

In R82 and higher, you can centrally define one or more Identity Providers (IdP), such as Microsoft Entra ID and Okta within Infinity Portal. These IdP configurations can then be reused across multiple Security Gateways using SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. that have the Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Blade enabled.

How Centralized IdP Works

  • You configure your IdP once in the Infinity Portal.

  • The IdP is then available as a read-only object in SmartConsole.

  • Security Gateways use this central IdP for user authentication and group membership, enabling Identity Awareness features such as user-based Access Roles and policies.

This example uses Microsoft Entra ID but applies to any IdP supported by the Infinity Portal.

  1. A user defined in Microsoft Entra ID attempts to access Amazon Web Services.

    Note - If you have more than one IdP configured, the user is redirected to the Captive PortalClosed A Check Point Identity Awareness web portal, to which users connect with their web browser to log in and authenticate, when using Browser-Based Authentication. to select an IdP.

  2. Upon successful authentication through the IdP, the user is granted access to Amazon based on your predefined ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

Prerequisites

  • Access to one of these supported cloud platforms.

  • An app on your chosen platform with permissions to create groups and assign users.

  • SmartConsole is connected to the Infinity Portal.

  • Login credentials for Infinity Portal and the IdP.

Supported IdPs

  • Microsoft ADFS

  • Microsoft Entra ID

  • Okta

  • OneLogin

  • Ping Identity

  • Google Workspace

  • Generic SAML Server

Important - Only the EU and US regions are supported in Infinity Identity configurations.

How to Configure a Centralized Identity Provider

Before you begin, log in to SmartConsole, the Infinity Portal, and your IdP.

Check Point supports multiple Identity Providers. Refer to SSO Authentication Setup with Identity Provider for detailed procedures.

  1. Open SmartConsole and log in to your Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..

  2. Select Infinity Services > click Get Started.

  3. In the Instructions window How to connect to the Infinity Portal, click Get Token.

  4. Navigate to the Infinity Portal to authenticate and select an account, agree to share your Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. data with the Infinity Portal, and copy the token.

  5. Return to SmartConsole, paste the token into the SmartConsole's instructions window and click Connect.

  6. Wait for the Security Management Server to connect to the Infinity Portal.

  7. In the Infinity Portal, make sure your Security Management Server is connected. The Connect status shows Active, as in this example:


  8. Follow the steps for adding an IdP, see SSO Authentication Setup with Identity Provider.

  9. Test connectivity, confirm the Identity Provider, run the connectivity test, and close.

  10. The Identity Provider defined on the Infinity Portal is now available as a read-only object in SmartConsole.

  1. In SmartConsole, open the gateway object (the one that you want to connect to the IdP) and enable the Identity Awareness Blade.

  2. In the First Time Configuration Wizard, select Browser-Based Authentication > Next.

  3. Select "I do not wish to configure an Active Directory at this time" and click Next > (again) NextFinish.

  4. In the navigation tree, select the Identity Awareness property and open the Browser-Based Authentication settings.

  5. Below Authentication Settings, select Edit.

  6. For the Authentication Method, select Identity Provider as the authentication method, and then select the IdP that you configured in the Infinity Portal. In this example, "Central IdP".

  7. Click OK, and then OK again to save the settings.

  8. In the Security Policies view, create a rule for testing purposes.

    1. Name - Give the rule a name, for example, "Central_IdP".

    2. Source - Add an Access Role that contains the user group assigned to your central IdP (such as Azure). The Access RoleClosed Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules. gets its groups and users in those groups from those defined on the IdP. To create an Access Role, see Creating Access Roles.

    3. Destination - For the Destination, select *Any.

    4. Services & Applications - Select the applicable applications and sites.

    5. Action - In the Action Settings window, the Action is Accept.
      Also, make sure to select the checkbox Enable Identity Captive Portal.

    6. Track - Track matches on the rule with the Log.

  9. Publish the session changes and click Install Policy > Install.