topic Remote Access VPN and EntraID Group Authorization in General Topics

Remote Access VPN and EntraID Group Authorization

FtW64 — Tue, 01 Apr 2025 08:52:10 GMT

Dear community,

I'm trying to get EntraID Group Authorization working for Check Point Remote Access VPN. I've been struggling for quite a while now, but still it doesn't work.

Did I do something wrong, did I forget some steps?

I used several sources (not all of them seem to be complete, do not explain when to apply them, and sometimes they provide conflicting information):

Source: "R81.20 Identity Awareness Administration Guide": the 'Admin Guide'.
Source: A video in the Admin Guide:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide/Content/Topics-IDAG/Azure-AD-Video.htm?tocpath=Identity%20Awareness%20Environment%7C_____12

This video explains how to setup browser-based Identity Awareness. It does not explain how to configure for Remote Access VPN, unfortunately.

Source: A video from Peter Elmer (Check Point): https://www.youtube.com/watch?v=172xGxqQvhI
Source: A video from Chris Martel: https://www.youtube.com/watch?v=yZVB3sJ3fZ8
Source: https://support.checkpoint.com/results/sk/sk179788
Source: https://support.checkpoint.com/results/sk/sk172909

What I did (primarily following the Admin Guide - "SAML Support for Remote Access VPN"):

Requirements are okay: gateway and SMS are running R81.20 JHF 89; latest (March 2025) Android Capsule VPN app.
Configure Remote Access VPN: enable the 'IPSec VPN' blade.
Configure Remote Access VPN: add the gateway to the RemoteAccess VPN Community.
Configure Remote Access VPN: enable Office Mode.
Configure Remote Access VPN: configure SAML Portal Settings ("https://myvpn.mydomain.nl/saml-vpn"); This FQDN resolves to my public gateway IP address.
Configure Remote Access VPN: enabled some clients (to test, I enabled all VPN client types).
Configure Remote Access VPN: enabled Visitor Mode (already enabled by default).
Configure Remote Access VPN: created a 'Match all Users' External User Profile (generic*) in SmartDashboard.
I also moved the Gaia portal out of the way (Platform Portal: https://192.168.100.240:1433/). Verified and tested.
I enabled the 'Identity Awareness' blade, skipped the wizard, and enabled 'Remote Access' as an Identity Source
SmartConsole: Create the Identity Provider object.
EntraID: Create Enterprise App : "Check Point Remote Secure Access" from the gallery.
EntraID "Check Point Remote Secure Access": Single sign-on. Copy/past the 'Identifier (Entity ID)', 'Reply URL' from the SmartConsole Identity Provider object into the SAML settings. Also entered the 'Sign on URL'.
EntraID "Check Point Remote Secure Access": Modified the SAML claim 'Unique User Identifier (Name ID)' to 'user.localuserprincipalname' (as explained in sk183250).
EntraID "Check Point Remote Secure Access": Add the SAML claim 'group_attr' to 'user.assignedroles' (as explained in sk183250). Note that the Admin Guides says: "configure the Identity Provider to send the group names as values of the attribute "group attr"". But all other sources specify 'user.assignedroles'…
EntraID "Check Point Remote Secure Access": export the 'Federation Metadata XML' and import in the SmartConsole Identity Provider object .
EntraID "Check Point Remote Secure Access": add a test group (without spaces) to the Enterprise Application: 'RemoteWorkers'. Add 'myuser@mydomain.nl' to this group as a member.
SmartConsole: configure 'Client VPN authentication' on the gateway object according to the Admin Guide, using the Identity Provider object. Specifically configured 'User Directories' to "Manual configuration" and "External User profiles" (as we do not use an on-premise Active Directory (LDAP)). Note that sk179788 disagrees on this point…. (did not implement sk179778 at this point). I tried sk179778 at a later time, but that did not help either...
SmartConsole/GuiDBEdit: as explained in the Admin Guide:
SmartConsole: Create an Internal User Group, matching the name of the group in EntraID exactly (case sensitive): 'EXT_ID_RemoteWorkers'. Note that the Admin Guide tells me to prepend the group name with "EXT_ID_", but the video from Peter Elmer does not mention this… I followed the Admin Guide.
SmartConsole: create an Access Role, adding the Internal User Group as 'Specific users/group' under 'Users'. Create an Access Rule using this Access Role object as source.

RESULTS:

I can successfully setup a Remote Access (client) VPN using the Android Capsule app.
I can successfully login, using my EntraID credentials (myuser@mydomain.nl). So, SAML authentication works!
Matched or dropped traffic from my VPN is tagged with 'Source User Name = myuser@mydomain.nl' in the logs.
The log viewer 'Log In' event (Mobile Access), says: User Groups: "This user doesn't belong to any group". Not sure if this is to be expected…
On the gateway:

# pdp m a on
…
Users:
 myuser@mydomain.nl {2d3c782f}
   LogUsername: myuser@mydomain.nl
   Groups: All Users
   Roles: -
   Client Type: Remote Access
…

It seems that my test group is not 'found', and I am assigned only to the 'All Users' group. My Access Role object doesn't match, and I cannot send traffic through my access rule. I would have expected: "Groups: All Users;RemoteWorkers" and "Roles: MyAccessRole".

If I create an Access Role object with 'Users' set to 'Any users' (RemoteUsers_ALL), then I get this:

# pdp m a on
…
Users:
 myuser@mydomain.nl {2d3c782f}
   LogUsername: myuser@mydomain.nl
   Groups: All Users
   Roles: RemoteUsers_ALL
   Client Type: Remote Access
…

And I can send VPN traffic, if I use this Access Role object as source in an Access Rule.

If I add the Internal User Group to the RemoteAccess VPN Community, authentication fails as well (unable to login using Capsule).

Peter Elmer (video) also tells me to edit the Manifest (which seems to be identical to just add 'App Roles' to the EntraID application… So, I tried this as well. This didn't work either…

I'm at my wits end, thanks in advance for any suggestions,

-Frank

Re: Remote Access VPN and EntraID Group Authorization

Nüüül — Tue, 01 Apr 2025 11:21:04 GMT

check the SAML attributes transferred.

can be done with browser plugins like saml-tracer / saml-tracker

i.e. https://addons.mozilla.org/de/firefox/addon/saml-tracer/

Start the extension, then logon to vpn again.

Then there should come up something like the first attached picture. click on the first line stating "SAML" and see on the other tab the SAML parameters.

I´d guess, there is something wrong with the attributes transfered.

Re: Remote Access VPN and EntraID Group Authorization

FtW64 — Tue, 01 Apr 2025 12:51:51 GMT

Hi Nüüül,

Thanks for your suggestion. I switched from Android to Windows and used the SAML tracer. It seems indeed that the 'group_attr' attribute is missing in the last SAML conversations. At least, I'm assuming here that this attribute is used by the VPN gateway?

Re: Remote Access VPN and EntraID Group Authorization

Nüüül — Tue, 01 Apr 2025 13:01:05 GMT

Yes, this will be used by the gateway.

EntraID "Check Point Remote Secure Access": Add the SAML claim 'group_attr' to 'user.assignedroles' (as explained in sk183250). Note that the Admin Guides says: "configure the Identity Provider to send the group names as values of the attribute "group attr"". But all other sources specify 'user.assignedroles'…

in Entra you can configure, what to send with the group attribute "group_attr". Especially when not using local ldap sources.

For an example see attachement

The group will have to be matched on Check Point side (group named EXT_ID_<groupname>, which then is member of an access role)

Re: Remote Access VPN and EntraID Group Authorization

FtW64 — Tue, 01 Apr 2025 14:20:05 GMT

I configured the group_attr claim/attribute as described in your screen shot.

But in the SAML attributes we still do not see 'group_attr'. We also tried refreshing the XML meta data to the Identity Provider object, but this didn't help either. For some reason EntraID refuses to send the group_attr attribute...

This is what we configured on EntraID in the Enterprise App (see image).

Also note that we configured the Unique User Identifier (Name ID) as user.localuserprincipalname (as per the documentation).

Re: Remote Access VPN and EntraID Group Authorization

Nüüül — Tue, 01 Apr 2025 14:26:11 GMT

Would remove the filtering (Filter Group) for the first step.

Is the application mapped to your user group aa_cp..? As there is enabled "Groups assigned to application"

Also - nested groups are not supported, so your group would have to be mapped to the application and your user must be a direct member of the group.

we can have a short session tomorrow afternoon and have a look together, if you want to - just send me a private message

Re: Remote Access VPN and EntraID Group Authorization

FtW64 — Tue, 01 Apr 2025 14:56:33 GMT

YES!!! I've got it working. I disabled the filter and now we get a group_attr with the value:

<Attribute Name="group_attr"> 
  <AttributeValue>aa_cp_vpn_test_frank</AttributeValue> 
</Attribute>

Not sure why the filter blocked the group. Also: if there are no matching groups, the attribute is not sent from the IdP (I kind of expected an empty attribute...).

I'd like to thank you VERY MUCH for your help.

I would like to urge Check Point to update their documentation and give some more explanation to just: 'add the group_attr claim/attribute' :-).

Re: Remote Access VPN and EntraID Group Authorization

JacWev — Mon, 23 Feb 2026 08:13:25 GMT

Great to hear... I've one question. How to change the setting with guidbedit if you have Smart-1 Cloud. I can't validate to with guidbedit to the cloud instance.

Jaco Wevers

Re: Remote Access VPN and EntraID Group Authorization

PhoneBoy — Mon, 23 Feb 2026 20:21:35 GMT

TAC might have to do it for you.

Re: Remote Access VPN and EntraID Group Authorization

JacWev — Fri, 06 Mar 2026 16:24:43 GMT

Yes PhoneBoy,

I've contacted TAC they changed the settings

Re: Remote Access VPN and EntraID Group Authorization

Kurpeus — Mon, 09 Mar 2026 13:21:16 GMT

Hi All

I'm in a similar scenario. I'm a bit confused about how the authorization part is supposed to work:

I've the SAML authentication working, my EntraID group "ENTRA-RAVPN-USERS" assigned to my Entreprise App is sent via SAML assertion using group claims (using "group_attr" and cloud only display name (I don't have an hybrid env, Azure only). In SmartConsole, I created a checkpoint local user group EXT_ID_ENTRA-RAVPN-USERS and i can authenticate just fine. That's the authentication part done.

Now i'm trying to use the EntraID server object to retrieve group memberships.

The only group membership info i have received are those assigned to the Entreprise App (the 2 EXT_ID roles in the above screenshot). but those are the group memberships sent by SAML assertion during sign in.

My understanding is that my EntraID server object can read the entire Entra ID directory (and it can as I can create access roles with Azure groups) . But my user traffic is never matching any of those access roles. Upon receiving traffic that is a potential match for a rule with an access role, the gateway should query Entra to see if my authenticated user is a member of that group. But this is not happening.

Re: Remote Access VPN and EntraID Group Authorization

Nüüül — Mon, 09 Mar 2026 15:40:55 GMT

Not sure, if this is intended to work, but did you set the Entra ID Object as User Directory (somewhere in VPN Configurations; User Directories) and is the matching attribute correct?

Re: Remote Access VPN and EntraID Group Authorization

PhoneBoy — Mon, 09 Mar 2026 18:38:52 GMT

If you want the groups to be seen on our side, they must be sent as part of the SAML Assertion.

Re: Remote Access VPN and EntraID Group Authorization

Kurpeus — Tue, 10 Mar 2026 12:33:59 GMT

I had the group membership sent as part of SAML assertion (that is for groups assigned to the entreprise application), but not for the in policy authorization. As it turns out, you don't have to. I've got it fully working . I've created a complete guide.

https://community.checkpoint.com/t5/General-Topics/SAML-Authentication-to-Azure-Entra-ID-with-Authorization/m-p/272983/highlight/true#M45757