Configuring SAML Identity Provider

Starting from R81.10.15, you can configure Microsoft Entra ID (formerly Azure AD) as a SAML Identity Provider (IdP) to authenticate Remote Access VPNClosed An encrypted tunnel between remote access clients (such as Endpoint Security VPN) and a Security Gateway. users on a Quantum Spark Gateway.

Requirements

Product

Requirement

Management ServerClosed A Check Point Security Management Server or a Multi-Domain Security Management Server.

R81.20

SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

R81.20

Quantum Spark Gateway

R81.10.15

Endpoint Security Client

  • Endpoint Security Client for Windows - version E84.70 build 986102705 or higher

  • Endpoint Security Client for macOS - version E85.30 or higher

Product

Requirement

Management Server

R81.10 with the R81.10 Jumbo Hotfix Accumulator, Take 9 or higher

SmartConsole

R81.10 SmartConsole Releases - Build 400 or higher

Quantum Spark Gateway

R81.10.15

Endpoint Security Client

  • Endpoint Security Client for Windows - version E84.70 build 986102705 or higher

  • Endpoint Security Client for macOS - version E85.30 or higher

Use Case

Remote users use their Microsoft Entra ID credentials to access resources located behind the Quantum Spark Gateway.

This is easier than using specific credentials only for the Quantum Spark Gateway.

The administrator can manage user groups and enforce authentication methods such as Single Sign-On (SSO) and Two-Factor Authentication (2FA) in the Microsoft Entra ID portal.

Workflow

  1. A remote user tries to access internal resources located behind the Quantum Spark Gateway using Remote Access VPN.

  2. The SAML portal of the Quantum Spark Gateway redirects the user to the IdP (Microsoft Entra ID) for authentication.

  3. The IdP asks the user for credentials according to the policy you configure in the IdP's portal.

    For example, you can configure Single Sign-On (SSO) to recognize that a user is already signed in, or require Two-Factor Authentication (2FA).

  4. The IdP authenticates the user and sends a SAML assertion to the user's web browser.

  5. The user's web browser sends the SAML assertion to the Quantum Spark Gateway.

  6. The Quantum Spark Gateway validates the SAML assertion and allows the remote user to access internal resources.

Known Limitations

  • Only one IdP configuration is supported.

    For example, if your organization has two Microsoft Entra ID accounts, you can only use one of them as a SAMLIdentity Provider

  • This feature supports only IPsec VPN clients.

  • All Remote Access VPN users and endpoint computers must be configured in an Identity Provider for authentication.

    This applies to managed endpoint computers and non-managed endpoint computers.

  • In the SAML-based authentication flow, the Identity Provider issues the SAML ticket after one or multiple verification activities.

  • SAML authentication cannot be configured with more authentication factors in the same login option.

    The Machine Certificate Authentication option is supported.

    To use Multiple Factor Authentication, configure the external Identity Provider to have multiple verification steps.

    The complexity and number of verification activities depends on the configuration of the Identity Provider.

  • For Windows and macOS endpoint computers or appliances (managed and non-managed), Check PointRemote Access VPN client must be installed.

  • In the security Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase., you can only enforce identities received from remote access SAML authentication at the VPN termination point.

  • Connecting from a CLI to a realm with Identity Provider is not supported.

  • Remote Access VPN client for ATMs is not supported.

  • Secure Domain Logon (SDL) with Identity Provider is not supported.

  • Identity Tags are not supported for Remote Access VPN connections.

Configuration

  1. Use SmartConsole to connect to the Security Management ServerClosed A dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / relevant Domain Management Server.

  2. From the left navigation panel, click Gateways & Servers.

  3. Open the object of the relevant Quantum Spark Gateway.

  4. In General Properties > Network Security tab, select the IPsec VPN Software Blade.

  5. From the left tree, click IPsec VPN.

  6. In the section This Security Gateway participates in the following VPN communities, click Add.

    The Add this Gateway to Community window opens.

  7. Select the relevant Remote Access VPN community.

  8. Click OK.

  9. From the left tree, expand the VPN Clients > click Remote Access > select Support Visitor Mode.

  10. From the left tree, click VPN Clients > click Office Mode > select Allow Office Mode > select the relevant Office Mode Method.

  11. Click OK.

    The Quantum Spark Gateway object closes.

  12. Open the Quantum Spark Gateway object.

  13. From the left tree, click VPN Clients > SAML Portal Settings:

    1. Make sure the Main URL field contains the fully qualified domain name (FQDN) of the Quantum Spark Gateway.

    2. Make sure the domain name ends with a DNS suffix registered to your organization.

      Example:

      https://MyGateway1.mycompany.com/saml-vpn

    3. In the Accessibility section, select the relevant settings.

  14. Click OK.

Important - Do this step for each Quantum Spark Gateway that participates in Remote Access VPN

  1. In SmartConsole, from the right navigation panel click New > More > User/Identity > Identity Provider.

    A New Identity Provider window opens.

  2. In the New Identity Provider window, configure these settings:

    1. Enter the applicable name and comment at the top.

    2. In the Gateway field, select the Quantum Spark Gateway to do the SAML authentication.

    3. In the Service field, select Remote Access VPN.

    SmartConsole populates these fields automatically:

  3. Configure the SAML application on the Identity Provider's website.

    Important - Do not close the New Identity Provider window in SmartConsole while you configure the SAML application on the Identity Provider's website.

    Note - Depending on your Identity Provider, you may need to purchase a premium subscription to use the features necessary to configure SAML for Remote Access VPN.

    Follow the Identity Provider's instructions.

    1. Copy the values of the Identifier (Entity ID) and Reply URL fields from the SmartConsole New Identity Provider window and enter them in the relevant fields on the Identity Provider's website.

    2. Make sure you configure the Identity Provider to send the authenticated username in the email format "alias@domain".

      Important - The primary email address for a user must be the same in the on-premises LDAP directory and in the user directory of the Identity Provider. This email address must be unique.

    3. Optional: To receive the Identity Provider's groups where users are defined, configure the Identity Provider to send the group names as values of the attribute "group attr".

    4. Before you complete the configuration, get this information from the Identity Provider:

      • Entity ID - A URL that uniquely identifies the application.

      • Login URL - A URL to use the application.

      • Certificate - For secure communication between the Quantum Spark Gateway and the Identity Provider.

      Note - Some Identity Providers provide this information in a metadata XML file.

  4. In the New Identity Provider window, in the Data received from the SAML Identity Provider section, select one of these options:

    • Import the Metadata File

      Click Import From File and select the metadata file from your Identity Provider.

    • Insert Manually

      1. Enter the Identifier (Entity ID) and the Login URL you copied from the Identity Provider.

      2. Click Import from File and select the Certificate File from the Identity Provider.

        Note - The Identity Provider object in SmartConsole does not support the import of a RAW Certificate.

  1. From the left navigation panel, click Manage & Settings.

  2. From the left tree, click Blades.

  3. In the Mobile Access section, click Configure in SmartDashboard.

    Legacy SmartDashboard opens.

  4. In the lower left pane, click the Users tab.

  5. In the Users tab, right-click on an empty space and select New > External User Profile > Match all users.

  6. Configure the External User Profile properties:

    1. On the General Properties page:

      • In the External User Profile name field, make sure the default name is generic*.

      • In the Expiration Date field, enter the date.

    2. On the Authentication page, from the Authentication Scheme drop-down list, select Undefined.

    3. On the Location, Time, and Encryption pages, configure the relevant settings.

    4. Click OK.

  7. From the top toolbar, click Menu (top left button) > File > Update.

  8. Close Legacy SmartDashboard.

  9. In SmartConsole, install the Access Control Policy.

  1. From the left navigation panel, click Gateways & Servers.

  2. Open the relevant Quantum Spark Gateway object.

  3. From the left tree, expand VPN Clients > click Authentication.

  4. Clear the checkbox Allow older clients to connect to this gateway.

  5. In the section Multiple Authentication Clients Settings, add a new object (click Add > click New) or edit an existing object (click Edit).

    The Remote Access client shows the authentication methods in the order shown in this section.

    For more information about Multiple Authentication Clients, see the R81.10 Remote Access VPN Administration Guide > Section "User and Client Authentication for Remote Access".

  6. In the Multiple Login Options window:

    1. From the left tree, click Login Option.

      • In the General Properties section:

        • In the Name field, enter the name of the object in the database.

        • In the Display Name field, enter the name that appears in the Multiple Authentication Clients Settings table and Security Gateway portals.

      • In the Authentication Methods section:

        1. In the section Authentication Factors, select Identity Provider.

        2. Click the "+" button > select the Identity Provider object.

        3. Click OK.

      Note - For Remote Access Multiple Entry Point (MEP), you must configure the same Login Option on all Security Gateways that participate in MEP.

      Make sure to add all the Identity Provider objects (one per Security Gateway) to a dedicated Login Option.

    2. From the left tree, click User Directories.

      1. Select Manual configuration.

      2. Select External User profiles.

    3. Click OK.

  7. In the Quantum Spark Gateway object, click OK.

  8. Publish the SmartConsole session.

  9. Configure the required settings in the management database:

    1. Optional: As a Best Practice, install the Access Control Policy.

      The Management Server creates a revision snapshot.

      You can revert to this revision snapshot if you make mistakes in manual database configurations or if you want to remove SAML Support for Remote Access VPN.

      Refer to:

    2. Close all SmartConsole windows.

      Note - To make sure there are no active sessions, run the "cpstat mg" command in the Expert mode on the Security Management Server / in the context of each Domain Management Server.

    3. Connect with the Database Tool (GuiDBEdit Tool) to the Security Management Server / applicable Domain Management Server.

    4. In the top left pane, go to Table > Network Objects > network_objects.

    5. In the top right pane, select the Security Gateway object.

    6. Press the CTRL + F keys (or go to the Search menu > click Find) > paste realms_for_blades > select Match whole string only > click Find Next.

    7. Below realms_for_blades, select the attribute vpn and examine only its inner attributes.

    8. Below the directory attribute > the fetch_options attribute, look for these attributes:

      • do_generic_fetch

      • do_internal_fetch

      • do_ldap_fetch

      • fetch_type

      If these attributes do not appear, then right-click the attribute fetch_options > click Edit > do not change anything > click OK (do not make any changes).

    9. Configure the required settings:

      • If you use an on-premises Active Directory (LDAP):

        1. Below the attribute fetch_options - If the current value of the attribute do_generic_fetch is not false, then right-click the attribute do_generic_fetch > click Edit > select the value false > click OK.

        2. Below the attribute directory - Right-click the attribute UserLoginAttr > click Edit > select the value mail > click OK.

      • If you do not use an on-premises Active Directory (LDAP):

        1. Below the attribute fetch_options - If the current value of the attribute do_internal_fetch is not false, then right-click the attribute do_internal_fetch > click Edit > select the value false > click OK.

        2. Below the attribute fetch_options - If the current value of the attribute do_ldap_fetch is not false, then right-click the attribute do_ldap_fetch > click Edit > select the value false > click OK.

    10. Right-click the attribute fetch_type > click Edit > select the value fetch_options > click OK.

    11. Do steps (c)-(j) again for all applicable Security Gateways.

    12. Save all changes (click the File menu > click Save All).

    13. Close the Database Tool (GuiDBEdit Tool).

  10. Use SmartConsole to connect to the Security Management Server / relevant Domain Management Server.

  11. Download a script to the Management Server.

    1. Download this script to your computer.

    2. Make sure that the Security Gateways have the necessary Jumbo Hotfix Accumulators installed. See Requirements.

    3. Copy the script from your computer to the Management Server.

      Note - If you copy a file over SCP to the Management Server, the user that connects must have the default shell /bin/bash in Gaia OS.

    4. Connect to the command line on the Management Server.

    5. Log in to the Expert mode.

    6. On a Multi-Domain Server, go to the main MDS context:

      mdsenv

      Note - On a Multi-Domain Server, if you do not want to enable SAML in all existing domains, document the UIDs of each domain.

      Run:

      mgmt_cli show domains

    7. Go to the directory where you uploaded the script.

      Assign the execution permissions to the script:

      chmod u+x allow_VPN_RA_for_R8040_and_above_gateways_V2.sh

      Run the script (the first argument must be "1"):

      /allow_VPN_RA_for_R8040_and_above_gateways_V2.sh 1

      Note - If the Management API is configured using a TCP port that is not the default port 443 (see output of the "api status" command), then do one of these:

      • Add the port number as the second argument in the script:

        ./allow_VPN_RA_for_R8040_and_above_gateways.sh 1 <Apache Port Number>

      • Add "--port <Apache Port Number>" in the syntax of each "mgmt_cli" command in this script.

    8. When the script prompts you to enter your user name and password, enter your SmartConsole credentials.

    9. When the script prompts you to enter a Domain UID:

      • To enable SAML on one of the domains of a Multi-Domain Server, enter the UID of the domain (to see the UID, run "mgmt_cli show domains").

      • In other cases, or to enable SAML in all domains, leave the prompt empty and press Enter.

  12. In SmartConsole, install the Access Control Policy on each Security Gateway.

  1. Install Remote Access VPN clients for Windows or for macOS.

    For more information, see sk172909.

  2. Optional: Configure the Identity Provider browser mode.

    By default, the Windows client uses its embedded browser, and the macOS client uses the Safari browser to prove its identity in the Identity Provider's portal.

    Configuring Remote Access VPN client for Windows to use the endpoint computer's default browser (example: Chrome):

    Note - This configuration is supported starting from Remote Access VPN client for Windows version E87.30.

    1. Log in to the Windows endpoint computer as an Administrator.

    2. Edit the trac.defaults file in a plain text editor.

      • On 64-bit Windows, the file location is:

        %ProgramFiles(x86)%\CheckPoint\Endpoint Connect\trac.defaults

      • On 32-bit Windows, the file location is:

        %ProgramFiles%\CheckPoint\Endpoint Connect\trac.defaults

    3. Change the value of the "idp_browser_mode" attribute from "embedded" to "default_browser".

    4. Save the changes in the file and close the text editor.

    5. Stop the Remote Access VPN client and start it again.

      Open the Windows Command Prompt as and Administrator and run these commands:

      1. net stop TracSrvWrapper

      2. net start TracSrvWrapper

    Configuring Remote Access VPN client for macOS to use the endpoint computer's default browser (example: Chrome):

    Note - This configuration is supported starting from Remote Access VPN client for macOS version E87.30.

    1. Log in to the macOS endpoint computer as an Administrator.

    2. Open a plain-text editor.

    3. Edit the trac.defaults file in a plain text editor:

      /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/Trac.defaults

    4. Change the value of the "idp_browser_mode" attribute from "embedded" to "default_browser".

    5. Save the changes in the file and close the text editor.

    6. Stop the Remote Access VPN client and start it again.

      Open the Terminal and run these commands:

      1. sudo launchctl stop com.checkpoint.epc.service

      2. sudo launchctl start com.checkpoint.epc.service

    Configuring Remote Access VPN client for Windows to use the Internet Explorer browser:

    1. Log in to the Windows endpoint computer as an Administrator.

    2. Edit the trac.defaults file in a plain text editor.

      • On 64-bit Windows, the file location is:

        %ProgramFiles(x86)%\CheckPoint\Endpoint Connect\trac.defaults

      • On 32-bit Windows, the file location is:

        %ProgramFiles%\CheckPoint\Endpoint Connect\trac.defaults

    3. Change the value of the "idp_browser_mode" attribute from "embedded" to "IE".

    4. Save the changes in the file and close the text editor.

    5. Stop the Remote Access VPN client and start it again.

      Open the Windows Command Prompt as an Administrator and run these commands:

      1. net stop TracSrvWrapper

      2. net start TracSrvWrapper

    Configuring the browser mode for a Windows endpoint computer in a configuration file on the Remote Access VPN Gateway:

    Starting from Remote Access VPN Client for Windows version E88.41, you can configure the browser mode for the endpoint computer in a configuration file on the Remote Access VPN Gateway.

    The "idp_browser_mode" parameter in the trac_client_1.ttm file controls the browser mode. For more information, see sk75221.

Authorization is for these types of groups:

  • Identity Provider groups - The groups the Identity Provider sends.

  • Internal groups - The groups that are received from User Directories configured in SmartConsole (internal user groups or LDAP groups).

To configure the Identity Provider groups:

  1. In the Identity Provider's interface, configure a SAML attribute:

    1. Define an optional attribute named group_attr.

    2. Configure the attribute according to the Identity Provider's requirements.

  2. In SmartConsole, create an internal User GroupClosed A collection of objects, such as user accounts, with shared attributes. object with this name (case-sensitive, spaces are not supported):

    EXT_ID_<Name_of_Role>

    For example, for a role in the Identity Provider's interface with the name my_group, create an internal User Group object in SmartConsole with the name EXT_ID_my_group.

    Note - In Microsoft Azure, Identity Tags are not supported for Remote Access connections.

Identity Provider groups and Internal groups (example: LDAP) are used for authorization.

Authorization types: Remote Access VPN Community and Access Roles

  • Remote Access VPN Community - Grants users access to Remote Access VPN.

    For more information, see the R81.10 Remote Access VPN Administration Guide > Section "User and Client Authentication for Remote Access".

  • Access Roles (requires the Identity Awareness Software Blade) - Grants access to users according to policy rules and user identities.

    For more information, see the R81.10 Identity Awareness Administration Guide > Chapter "Configuring Identity Awareness" > Section "Creating Access Roles".

To apply authorization by Remote Access VPN, add the applicable group to the Remote Access VPN.

To apply authorization by Access Roles, add the applicable group to an Access Role in the Access Control Policy.