https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244562#M10362 <P>Hello! Did you create the specific App role in Azure? After that, you have to create a local group following the EXT_ID_&lt;role_name&gt;</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure_ad.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30010i7C2267555CB87021/image-size/medium?v=v2&amp;px=400" role="button" title="azure_ad.png" alt="azure_ad.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure_ad_4.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30008i1887D4C62211E17C/image-size/medium?v=v2&amp;px=400" role="button" title="azure_ad_4.png" alt="azure_ad_4.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure_ad_2.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30009iC790EEA8E3D179AF/image-size/medium?v=v2&amp;px=400" role="button" title="azure_ad_2.png" alt="azure_ad_2.png" /></span></P><P>BR</P> Mon, 24 Mar 2025 10:49:27 GMT delToro1 2025-03-24T10:49:27Z https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244556#M10361 <P class="">Hi all,</P><P class="">I'm running into an issue with <STRONG>Check Point Remote Access VPN</STRONG> authentication via <STRONG>Azure AD (SAML)</STRONG>. Users can successfully authenticate and establish a VPN session, but they are always assigned to the default <STRONG>"All Users"</STRONG> group. The <STRONG>LDAP groups from Active Directory are not being applied</STRONG>, even though the users are members of the appropriate AD groups (e.g., VPN_Users_AD).</P><P class="">&nbsp;</P><UL><LI><P class="">Remote Access VPN is working with Azure AD / SAML authentication</P></LI><LI><P class="">On the Check Point Gateway:</P><UL><LI><P class=""><STRONG>Identity Awareness</STRONG> is enabled</P></LI><LI><P class=""><STRONG>Identity Collector</STRONG> is installed and shows connected (DCs, users, etc.)</P></LI><LI><P class=""><STRONG>LDAP Account Unit</STRONG> is configured and working (can browse AD users/groups)</P></LI></UL></LI><LI><P class="">Identity Sources include Remote Access and Identity Collector</P><P class="">What else can I check to ensure that <STRONG>LDAP group membership from AD is correctly assigned</STRONG> to users logging in via Remote Access VPN (Azure AD)?</P><P class="">Is there a known limitation with SAML-based logins and LDAP group resolution?</P><P class="">Thanks in advance for any insights or suggestions!</P></LI></UL><P>&nbsp;</P> Mon, 24 Mar 2025 10:09:24 GMT https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244556#M10361 Gacki 2025-03-24T10:09:24Z https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244562#M10362 <P>Hello! Did you create the specific App role in Azure? After that, you have to create a local group following the EXT_ID_&lt;role_name&gt;</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure_ad.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30010i7C2267555CB87021/image-size/medium?v=v2&amp;px=400" role="button" title="azure_ad.png" alt="azure_ad.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure_ad_4.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30008i1887D4C62211E17C/image-size/medium?v=v2&amp;px=400" role="button" title="azure_ad_4.png" alt="azure_ad_4.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure_ad_2.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30009iC790EEA8E3D179AF/image-size/medium?v=v2&amp;px=400" role="button" title="azure_ad_2.png" alt="azure_ad_2.png" /></span></P><P>BR</P> Mon, 24 Mar 2025 10:49:27 GMT https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244562#M10362 delToro1 2025-03-24T10:49:27Z https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244565#M10363 <P class="">In the Remote Access VPN configuration, I see user groups like:</P><UL><LI><P class="">EXT_ID_Administradores_VPN_CheckPoint</P></LI><LI><P class="">EXT_ID_VPN_CheckPoint</P></LI></UL><P class="">These are listed under <STRONG>Participant User Groups</STRONG> (see screenshot).</P><P class=""><STRONG>Are these groups directly mapped to Azure Entra ID (Azure AD) groups?</STRONG><BR />Or are they just internal Check Point objects that need to be manually linked to LDAP or SAML attributes?</P><P class="">Trying to understand if these are automatically synced from Azure, or if I need to create and manage the mapping myself.</P> Mon, 24 Mar 2025 11:00:06 GMT https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244565#M10363 Gacki 2025-03-24T11:00:06Z https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244569#M10364 <P>These are local groups, that are mapped with de EntraID groups. See the step 6 in the documetation:</P><P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm?Highlight=SAML#" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm?Highlight=SAML#</A></P><DIV class="">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure_ad_5.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30011i0D1E115DF0FA3405/image-size/medium?v=v2&amp;px=400" role="button" title="azure_ad_5.png" alt="azure_ad_5.png" /></span></P><P> </P><P>On the other hand, you have to configure the SAML attribute "group_attr" for the mapping</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="azure_ad_7.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30012i3569709588838AFA/image-size/medium?v=v2&amp;px=400" role="button" title="azure_ad_7.png" alt="azure_ad_7.png" /></span></P><P> BR</P> Mon, 24 Mar 2025 11:11:35 GMT https://community.checkpoint.com/t5/Endpoint/Check-Point-VPN-Remote-Access-Azure-AD-LDAP-Groups-Not-Assigned/m-p/244569#M10364 delToro1 2025-03-24T11:11:35Z