Using Microsoft Entra ID for Authorization

By incorporating SAML for user authentication, you can leverage Microsoft Entra ID entities to control access to corporate resources.

Microsoft Entra ID is a Microsoft cloud-based identity and access management service that offers identity and access capabilities for applications that run in Microsoft Azure.

Best Practice: To use Microsoft Entra ID, your Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and Security Gateways that work as PDP Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways.s must have an Internet access. If your Management Server does not have a direct access, configure a proxy server: From you browser, log in to the Gaia Portal Web interface for the Check Point Gaia operating system.. From the left tree, go to System Management > Proxy. Select the Use proxy server option and enter the applicable proxy server configuration. Click OK. Publish the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. session. If your Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. that works as PDP does not have a direct access, configure a proxy server: In SmartConsole, open the Global Properties. From the left tree, click Proxy. Select the Use proxy server option and enter the applicable proxy server configuration. Click OK. Publish the SmartConsole session.

Configuring

This section describes the procedure for configuring Microsoft Entra ID.

The procedure has two parts. Each part consists of these steps:

• Part 1 - Configuration in Microsoft Azure Portal.

• Part 2 - Configuration in Check Point SmartConsole.

Configuration in Microsoft Azure Portal

Note - For more information about configuration on the Microsoft Azure portal, refer to Microsoft Azure documentation.

1. Configuring Azure application

   1. Log in to your Azure account in https://portal.azure.com/, click the username the top-right side, and make sure that the directory is correct.

      Note - You must have at least one user and one group defined.

   2. Make specified user group(s).

      1. From the left-side menu, select Microsoft Entra ID.

      2. Click Users.

      3. In the Overview window, select the users from the list.

      4. Click Home.

   3. Select Enterprise Applications.

   4. Click New Application > Non-gallery application.

   5. In the Add your own application window, enter a name for your application (for example, checkpoint). Click Add.

   6. In your application Overview window, click on your application and select App registrations option.

   7. Click Owned applications >checkpoint.

   8. Copy and save these parameters:

      • Application (client) ID

      • Directory (tenant) ID

   9. Go to Certificates & Secrets > New client secret and set these parameters:

      • Description - Enter a free-text description (for example, Check Point).

      • Expires - Set an applicable expiration date.

   10. Click Add.

   11. Copy and save the client secret.

       Note - You cannot retrieve this value after you perform a different operation or leave this blade.

2. Configuring SAML as a Single Sign-On for your Azure application

   1. Click on Home and select Microsoft Entra ID from the menu.

   2. Click on Enterprise applications and go to All applications.

   3. Select your application.

      The application Overview window opens.

   4. Click Single Sign-On.

   5. Select SAML as the Single Sign-On method.

   6. In the Set up Sign-On with SAML window, go to the User Attributes & Claims section and click the pencil icon to edit the claims.

      The User Attributes & Claims window opens.

   7. In the Required claim section, click Unique User Identifier (Name ID).

   8. In the Manage claim window:

      • Attribute option - Select.

      • Source Attribute drop-down menu - Select user.localuserprincipalname.

   9. Click Save to save the user claims, then close the window.

   10. Back on the SAML Signing Certificate page, go to the Federation Metadata XML file and click Download.

       The Federation Metadata XML is downloaded.

       Note - Stay logged in to Azure and come back to it in the next steps.

3. Registering your application

   1. Click App Registrations > New registration.

   2. Click Owned applications.

   3. Select your application and click Register.

   4. Click API permissions > Add a permission and select these permissions:

      • Microsoft Graph

      • Device.Read.All

      • Group.Read.All

      • User.Read.All

   5. Click Add permissions > Configured permissions > Grant admin consent for approval of your app API permissions. Click Yes.

      Your application gets the granted permissions.

Configuration in Check Point SmartConsole

1. Configuring Azure object

   Use one of the following configuration options:

   • Configure the Microsoft Entra ID through the IDA wizard

     1. In SmartConsole, open the Gateway and click Identity Awareness.

     2. On the Identity Awareness Configuration wizard, select only Browser-Based Authentication Authentication of users in Check Point Identity Awareness web portal - Captive Portal, to which users connect with their web browser to log in and authenticate. option.

        Example:

        

     3. Click Next.

     4. From the Select Active Directory drop-down menu, select Create new Microsoft Entra ID.

     5. Enter these settings that you created in Configuration in Microsoft Azure Portal:

        • Name - Enter a name for your application.

        • Application ID field - Enter the Application ID of the Service Principal in the UUID format [xxxxxxx-xxxx-xxxx-xxxxxx].

        • Application Key - Enter the Client Secret created for the Service Principal.

        • Directory ID - Enter the Directory ID of the Service Principal in the UUID format [xxxxxxx-xxxx-xxxx-xxxxxx].

          Important - Do not configure specified multiple Microsoft Entra ID objects with same Directory ID.

     6. Click Test Connection.

     7. After the connection is active, click Next > Next >Finish.

        You can now select the new created Microsoft Entra ID from the Users/Identities menu.

     8. Publish the SmartConsole session.

   • Configure a new server on the Objects bar

     1. On Check Point SmartConsole, click New > More > User/Identity > Microsoft Entra ID.

        

        A New Microsoft Entra ID window opens.

        

     2. In the New Microsoft Entra ID window, in the Service Principal Authentication section, configure these settings that you created in Configuration in Microsoft Azure Portal:

        • Name - Enter a name for your application.

        • Application ID field - Enter the Application ID of the Service Principal in the UUID format [xxxxxxx-xxxx-xxxx-xxxxxx].

        • Application Key - Enter the Client Secret created for the Service Principal.

        • Directory ID - Enter the Directory ID of the Service Principal in the UUID format [xxxxxxx-xxxx-xxxx-xxxxxx].

     3. Click Test Connection.

     4. Publish the SmartConsole session.

2. Creating the Access Role with the Azure directory

   1. In the object tree, click New> More > User/Identity > Access Role.

   2. Click [+] to add a new Access Role Access Role objects let you configure network access according to: Networks, Users and user groups, Computers and computer groups, Remote Access Clients. After you activate the Identity Awareness Software Blade, you can create Access Role objects and use them in the Source and Destination columns of Access Control Policy rules..

   3. In the New Access Role window:

      • Enter a Name for the access.

      • Enter a Comment (optional).

      • Select a Color for the object (optional).

   4. In the Users pane, select one of these:

      • Any user.

      • All identified users - Includes all users identified by a supported authentication method (internal users, Active Directory users, or LDAP users).

      • Specific users/groups - You can select the Microsoft Entra ID and select users or groups of users from the list.

   5. Click OK.

   6. Publish the SmartConsole session.

      

   7. Use the created Azure Access Role to add the rules in the policy.

      

Best Practice - If you use Azure for the two of authentication and authorization, then Microsoft Entra ID performs authentication through the SAML protocol with the SAML Identity Provider. To configure SAML for authentication, refer to SAML Identity Provider for Identity Awareness.