topic Re: SAML authentication stops working after FW Upgrade / Fresh Install in Firewall and Security Management

SAML authentication stops working after FW Upgrade / Fresh Install

Thomas_Eichelbu — Thu, 07 Mar 2024 09:42:41 GMT

Hello Check Mates,

we have seen on three occasions that the SAML authentication method fails for Client VPN after upgrading to a new Jumbo or reinstalling the gateway from scratch (fresh install).
Reason for our fresh install was to get rid of the ext3 filesystem which we have on very old and long running firewalls.

since we rely on special custom hotfixes we are stuck to run at R81.10 HFA 110

we get this error message:

The error lookalike depends on how the embedded browser is built into the VPN Client, sometimes its the full browser which shows and error, sometimes the browser is embedded into the VPN client itself.

It is very hard to restore the SAML login option.
Its more like a guessing game to remove the SAML authentication from the gateway, push policy again and adding SAML again. or do many reboot or fail overs. I cannot really say what brings it back ... its more a random success to have the SAML portal working again.

anyone from the audience has seen this before?
since it struck us 3 times now, i think there is indeed a systemic reason behind it.

after some discoveries i found some interessting hints:
i see way too little Multiportals running ???

active member with broken SAML portal	working member set to standby to check behavior
[Expert@XXXY1:0:ACTIVE]# mpclient list DLPSenderPortal SecurePlatform UserCheck nac nac_transparent_auth saml-vpn	[Expert@XXXZ2:0:STANDBY]# mpclient list DLPSenderPortal ExchangeRegistration ReverseProxyClear ReverseProxySSL SecurePlatform UserCheck nac nac_transparent_auth saml-vpn sslvpn

when i check if the paths for the SAML portal do exist ... i get disappointed on the newly installed active member they missing, also some directories are not there.

path is:
https://XXXXX.ZZZZ.com/saml-vpn/spPortal/ServiceProviderTabs?realm=vpn_XXXXX_SAML&session=6i7hz9koxbtzm3t

[Expert@XXXY1:0:ACTIVE]# find / -name ServiceProvider\*
/opt/CPSamlPortal/htdocs/spPortal/ServiceProvider
/opt/CPSamlPortal/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProvider.php
/opt/CPSamlPortal/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProviderAware.php
/opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/htdocs/spPortal/ServiceProvider
/opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProvider.php
/opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProviderAware.php

[Expert@XXXZ2:0:STANDBY]# find / -name ServiceProvider\*
/opt/CPSamlPortal/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProvider.php
/opt/CPSamlPortal/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProviderAware.php
/opt/CPSamlPortal/htdocs/spPortal/ServiceProvider
/opt/CPSamlPortal/htdocs/spPortal/ServiceProviderTabs
/opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProvider.php
/opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProviderAware.php
/opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/htdocs/spPortal/ServiceProvider
/opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/htdocs/spPortal/ServiceProviderTabs

so it seems the directories and files to run the SAML portal where just not created ... how come?
TAC has to be involved ...

best regards

Re: SAML authentication stops working after FW Upgrade / Fresh Install

NiladriSarkar — Thu, 07 Mar 2024 16:33:53 GMT

We have experienced the same issue with after we upgraded a AWS GEO cluster from r80.40 to r81. We have a case open with TAC.

The second scenario is for Maestros.. initially it was running on r81.10 take 95 + custom fix for SAML.

After upgrade to take 132 ( which required the custom fix to be uninstalled ) SAML is broken/firewall cannot be accessed using GUI, and there are issues with IPsec tunnel rekey. case is open with TAC for this as well.

Re: SAML authentication stops working after FW Upgrade / Fresh Install

Thomas_Eichelbu — Thu, 07 Mar 2024 16:42:16 GMT

Hello yes understood.
well TAC is already working on it ... iam confident they will find it 🙂

also check this SK sk181971 but its for Error 400 and not Error 404.
i suspect i could easily transfer the folders from the working FW to the broken FW. but i want a solid hotfixes and explanation.

Re: SAML authentication stops working after FW Upgrade / Fresh Install

alannnnnnn — Thu, 07 Mar 2024 19:20:41 GMT

Same "Not Found" issue after upgrading to 81.10.

I noticed ServiceProvider changed to ServiceProviderTabs in the URL.

Re: SAML authentication stops working after FW Upgrade / Fresh Install

CheckPointerXL — Mon, 11 Mar 2024 18:03:12 GMT

I had same problem after fresh install + take 130

The fix is: uninstall JHF, install an intermediate JHF (in my case #78), then upgrade to latest JHF

Re: SAML authentication stops working after FW Upgrade / Fresh Install

Thomas_Eichelbu — Thu, 14 Mar 2024 10:02:30 GMT

Hello,

TAC mentioned, this issue is known as : PRHF-33044.
if required they will build a custom fix for you.
if it affects a R81.20 fresh install is still under investigation!

best regards

Re: SAML authentication stops working after FW Upgrade / Fresh Install

Thomas_Eichelbu — Thu, 28 Mar 2024 16:14:14 GMT

Hello,

TAC finally solved it ...
PRHF-33044 is the Bug ID
the issue seemed to start with HFA113, which breaks some files in /opt/CPSaml file structure.

Fresh install with R81.10
install HFA in HFA 129 in my case
Install custom fix provided by TAC for HFA129
SIC + Policy Push
and SAML is working again ...

i hope they integrate it into the next GA HFA ...
otherwise you can do it manually:

backup of both directories
and copy the good files to the affected FW.
scp -rp /opt/CPSamlPortal/* admin@XXXXX:/opt/CPSamlPortal

Re: SAML authentication stops working after FW Upgrade / Fresh Install

I_Santos — Thu, 28 Mar 2024 19:54:17 GMT

Yes, I did use "Fresh Install and Upgrade feature" to upgrade from R81.10 take 130 to R81.20 and I got the same issue. I had to rollback the upgrade.

Re: SAML authentication stops working after FW Upgrade / Fresh Install

CheckPointerXL — Thu, 28 Mar 2024 21:08:05 GMT

For anyone interested to fix the issue without the custom fix, i suggest the previous workaround:

-clean install 81.10

-install JHF 78

-Install latest JHF

Re: SAML authentication stops working after FW Upgrade / Fresh Install

TWESTELYNCK — Mon, 24 Jun 2024 14:59:50 GMT

Hello Thomas,

It seems that we encounter the same issue as yours with the broken SAML Portal (404 on connection attempts).

Our SG cluster is in R81.10 with Hotfix 139.

The current CPSamlPortal structure is as follows:

[Expert@PROXIMA:0]# find / -name ServiceProvider\* /opt/CPSamlPortal/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProvider.php /opt/CPSamlPortal/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProviderAware.php /opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProvider.php /opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/phpincs/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Configuration/ServiceProviderAware.php /opt/CPSamlPortal/spPortal_BEFORE_R81_10_jumbo_hf_main/htdocs/spPortal/ServiceProvider /opt/CPSamlPortal/htdocs/spPortal/ServiceProvider

As we only have one cluster with the same broken SAML structure, we don't have the possibility to copy the original files to /opt/CPSamlPortal.

Would you (or any generous soul) be willing to send us these files in order to fix the VPN SAML connection?

Thanks 🙂

Re: SAML authentication stops working after FW Upgrade / Fresh Install

Thomas_Eichelbu — Mon, 24 Jun 2024 15:35:38 GMT

Hello Team,

better use a BLINK image and go to R81.20 directly!
then you should have NO issues!
or downgrade to a hotfix around ~R81.10 HFA 110 and upgrade to to HFA 150 ... then SAML should stay.

also there is a hotfix for this issue!
PRHF-33044
fw1_wrapper_HOTFIX_R81_10_JHF_T129_937_MAIN_GA_FULL.tar
but its R81.10 HFA120
-> reach out to TAC, they shall give you a portfix for your version!

i have no more customer running on R81.10, believe or not .. so i cannot send any files.
what u can also do is to install a GW in a VMware and copy the files as well!

Re: SAML authentication stops working after FW Upgrade / Fresh Install

SenpaiNoticed_U — Tue, 16 Jul 2024 13:22:15 GMT

This is the SK in reference for fw1_wrapper_HOTFIX_R81_10_JHF_T129_937_MAIN_GA_FULL.tar

Documented to be fixed R81.10 jhf 152

https://support.checkpoint.com/results/sk/sk182128

Re: SAML authentication stops working after FW Upgrade / Fresh Install

Daniel_Kavan — Mon, 31 Mar 2025 12:18:05 GMT

Thanks, I had SAML working with R81.20 JHF84 and it's not in JHF89. We aren't even getting to the provider link now from the portal. There were some new changes to SAML and also, The Security Gateway may fail to resolve external Network Feeds whose URL contains a port number (such as "https://example.com:8080/feed.csv". Refer to sk182684. maybe it fixed 8080 and broke 8443

Update: we fixed this by changing this attritube in the Identity.xml file:

from "true" to "false" WantAuthnRequestsSigned="false"

This page isn’t working

portal.ssl.somedomain.com is currently unable to handle this request.

Re: SAML authentication stops working after FW Upgrade / Fresh Install

SWBW_Florian — Thu, 30 Jan 2025 13:31:15 GMT

hi there,

i have the same issue at 81.20 on our cluster. i configured the SAML (properly, i hope) but i end with "Not found" as im trying to access it

the link in the adressbar is right so far: mysamldomain.com/spPortal/ServiceProviderTabs?realm=vpn.....

at least the domain is correct, i cant tell anything about the rest built by checkpoint.

Unfortunately i dont have any backup or old stuff laying around to recover some of those maybe missing files.
Could someone upload a zip with the files in it, at least to compare whats missing?

i also checked the error_log of the portal and get those lines:

[Mon Jan 27 13:26:39.274902 2025] [php7:notice] [pid 28000] [client 10628] error SamlPolicyReader: IDP_POLICY_DIRECTORY /opt/CPVPNPortal/phpincs/spPortal __DIR__ /opt/CPSamlPortal/phpincs/spPortal, referer: https://mfax.de/webapps/openid/spPortal/ServiceProviderTabs?realm=vpn_RVDev_MFA&session=cvaq33za55jeezt [Mon Jan 27 13:26:39.275958 2025] [php7:notice] [pid 28000] [client :10628] error allowRealms: 'vpn' is not a SAML realm., referer: https://mfax.de/webapps/openid/spPortal/ServiceProviderTabs?realm=vpn_RVDev_MFA&session=cvaq33za55jeezt

Thanks in advance

Re: SAML authentication stops working after FW Upgrade / Fresh Install

Nüüül — Thu, 30 Jan 2025 13:45:59 GMT

Hello Florian,

When authenticating, I´d start with a small browser extension like "SAML-Tracer" for having a look, what is when called and submitted. Also Browsers Development tools can help in fiddling out, where a problem might be. i.e. if a css file is not "accessible", like in my current case... I´m fighting something similar at the moment

Re: SAML authentication stops working after FW Upgrade / Fresh Install

SWBW_Florian — Thu, 30 Jan 2025 14:42:07 GMT

hy Nüüül and thanks for your hints.

unfortunately the browser isnt doing a lot but opening and showing that "Not Found" stuff. the login procedure isnt started because of that issue

Re: SAML authentication stops working after FW Upgrade / Fresh Install

CheckPointerXL — Fri, 28 Mar 2025 17:34:08 GMT

Hello Floriam

did u fix the problem ?
same logs, same issue

apparently files/direcotry/permission are correct, looking into another working environment

Re: SAML authentication stops working after FW Upgrade / Fresh Install

SWBW_Florian — Mon, 31 Mar 2025 05:29:17 GMT

Hi!

No, unfortunately not. its still not working. we asked our Checkpoint-Service for help on that. They think that it propably could come into account that our used IP-Address is already configured elsewhere in the system (and also not the cluster main IP)

So we ordered a new external IP-Adress and try then to forward 443 to this

i will update the thread if were working it out. If you find anything new feel free to post it here as well

Re: SAML authentication stops working after FW Upgrade / Fresh Install

Ruan_Kotze — Mon, 31 Mar 2025 06:18:10 GMT

This is likely not your issue, as it was working previously, but I had the exact same 404 error, my issue was I had the wrong IDP object assigned to my gateway. VPN Clients -> Authentication -> IDP Auth Provider -> Auth Methods -> Identity Provider - Auth Settings.

My IDP object was pointing to the SAML URL of a different gateway.

Re: SAML authentication stops working after FW Upgrade / Fresh Install

Daniel_Kavan — Mon, 31 Mar 2025 12:19:19 GMT

Hi, RE: the identity file, we changed this attribute from true to false. WantAuthnRequestsSigned="false" We still have to have this in place.