topic Re: Identity Awareness with EntraID roles and policy enforcement in Firewall and Security Management

Identity Awareness with EntraID roles and policy enforcement

Ave_Joe — Thu, 16 Jan 2025 22:05:30 GMT

I have a requirement to evaluate moving Identity Awareness (IA) from a traditional on-premises Active Directory implementation to an IdP setup using EntraID. I’ve tested the IdP creation process and successfully configured the gateway to use EntraID SAML SSO for the Captive Portal. However, I’ve encountered an issue where any rules referencing roles based on EntraID groups fail to match.

It appears that the gateway is not retrieving EntraID group membership when a user authenticates. I’ve reviewed the Identity Awareness configuration guide multiple times, but something seems to be missing in the process to enforce policies based on IdP roles.

Use Case Example:

Group Setup: In EntraID, there is a group named Internet_Access. Users in this group should have full Internet access, while users not in the group should be restricted to accessing white-listed sites.
Rule Setup: I created a rule that uses a role based on the EntraID group Internet_Access. However, users are not matching the rule.
Issue Observed: In the log entries for Identity Awareness Successful Login, the Source User Group and Roles fields do not show any entries for EntraID groups.

It seems like simply following the "Using Azure AD for Authorization" section in the IA admin guide does not achieve the desired outcome.

Request for Guidance:

Has anyone successfully configured policy enforcement using IdP-based roles with EntraID? Are there any additional steps, settings, or troubleshooting methods that might resolve this issue?

For reference, I’ve opened a TAC case to have the configuration reviewed, but I wanted to check here to see if anyone else has encountered and resolved a similar issue.

Thank you in advance for your assistance!

Re: Identity Awareness with EntraID roles and policy enforcement

PhoneBoy — Fri, 17 Jan 2025 14:51:33 GMT

Have you created the relevant EXT_ID_ groups on the Check Point side?
For example, there should be EXT_ID_Internet_Access.

Re: Identity Awareness with EntraID roles and policy enforcement

Ave_Joe — Fri, 17 Jan 2025 15:50:00 GMT

Hello PhoneBoy.

That must be the missing step in the process. Is there any documentation or a SecureKnowledge (SK) article that specifically covers this aspect from an Identity Awareness/Captive Portal perspective? I haven’t been able to find anything relevant so far.

The Identity Awareness Administration Guide provides details on how to create the IdP, but it doesn’t include sufficient information on how to use the IdP in policy enforcement. Perhaps this information is covered in a different document?

Thanks.

Re: Identity Awareness with EntraID roles and policy enforcement

PhoneBoy — Fri, 17 Jan 2025 16:02:53 GMT

It would help to know what documentation you've followed so far and what you've configured to try and associate the Entra ID groups.
The need for EXT_ID_ groups are documented here (among other places): https://support.checkpoint.com/results/sk/sk177267
It says Remote Access, but it certainly won't hurt even if RA isn't involved.

Re: Identity Awareness with EntraID roles and policy enforcement

Ave_Joe — Fri, 17 Jan 2025 17:52:48 GMT

I will take a look at that SK.

Here is the link to the Identity Awareness doc that I was following.

Using Azure AD for Authorization

Cheers!

Re: Identity Awareness with EntraID roles and policy enforcement

Ave_Joe — Mon, 20 Jan 2025 14:24:36 GMT

Over the weekend I went through the video "Using Azure AD for Authorization" again. I cleared out all that was done previously and started over. The video does not mention anything about the process of using EXT_ID_. It demonstrates that you simply choose the EntraID group in the picker as the Source and turn on the Captive Portal option in the Accept action column.

After following the video my test user can authenticate to the Captive Portal using the IdP but can not access the Internet. The user does not match the rule that references the EntraID group.

src	dst	action
Internet Access Group (EntraID object)	Internet	Accept with Captive Portal option selected

When the test user authenticates to the Captive Portal I don't see any roles in the log entry that matches AzureAD groups.

Prior to redoing everything I did look at SK177267 and ran some tests but that did not work either.

Hopefully working with the TAC will get it sorted.

Re: Identity Awareness with EntraID roles and policy enforcement

PhoneBoy — Mon, 20 Jan 2025 21:35:44 GMT

I assume "Internet Access Group" is actually an Access Role object?