topic Re: Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO in General Topics

Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

FtW64 — Wed, 16 Apr 2025 13:11:40 GMT

I have successfully setup SmartConsole SAML SSO, using an Identity Provider object in SmartConsole.

When creating this Identity Provider object, the IdP "Return URL" is automatically populated like: "https://192.168.100.241/...", where 192.168.100.241 is the IP address of the management server. You cannot edit this value.

I'd like to replace the IP address with the FQDN of the management server, like "https://sms.mydomain.com/...".

Is this possible? If so, how?

Thanks in advance!

-Frank

Re: Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

the_rock — Wed, 16 Apr 2025 18:59:10 GMT

I could be mistaken, but the only way I know of possibly be able to do that is if you change what I attached and install policy.

Andy

Re: Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

Nüüül — Thu, 17 Apr 2025 06:49:32 GMT

if this would work, it only works on standalone installation. management server objects don´t have VPN Portal settings 🙂

i believe, you will have to change simple-saml config files or something like that. would suggest having TAC involved.

Re: Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

FtW64 — Thu, 17 Apr 2025 07:19:16 GMT

This is for IA (or Remote Access VPN) IdP. I don't think these settings apply to the management server as a SAML SP.

I have submitted a TAC case and will update when (if) I get a solution.

Re: Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

FtW64 — Thu, 17 Apr 2025 07:49:19 GMT

SOLVED

It is in the "R81.20 Quantum Security Management Administration Guide", as explained by CP TAC, although a bit hidden: search for "SAML_IP_OR_NAME".

Edit $CPDIR/tmp/.CPprofile.sh
Add this line to the file:
SAML_IP_OR_NAME=example.com; export SAML_IP_OR_NAME
Restart the management server (cpstop;cpstart will do)

NOTE:

When creating an Identity Provider object for SmartConsole ("Managing Administrator Access"), the Return URL still shows the IP address. However, when SmartConsole performs the SAML request, it uses the FQDN in the Return URL silently. So, you MUST manually change the IP address for the FQDN when configuring the Return URL on the IdP (EntraID or similar).

Re: Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

the_rock — Thu, 17 Apr 2025 10:33:04 GMT

Awesome, thanks for that! For the reference, page 84.

Andy

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/CP_R81.20_Quantum_SecurityManagement_AdminGuide.pdf

Re: Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

the_rock — Thu, 17 Apr 2025 10:34:18 GMT

Funny enough, that lab is standalone : - )

Re: Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

FtW64 — Thu, 17 Apr 2025 11:12:05 GMT

Note that I'm using the SmartCenter Server as a SAML service provider. I'm not authenticating agains the gateway (or gateways) for Client VPN. Or are you referring to a management server cluster (management HA)?