topic Remote Access Authentication with Certificate and Group Membership Retrieval in General Topics

Remote Access Authentication with Certificate and Group Membership Retrieval

C_H — Wed, 22 Oct 2025 16:12:59 GMT

Hello Everyone,

Customer challenged me with the following problem:

If Personal Certificate is used as Authentication Method for Remote Access and my User Identity Store is Entra how do I get the Group Membership Retrieval for "Offer Office Mode to group" option?

Does it always have to be an LDAP query from the Gateway to an On Prem Device for group membership when Personal Certificate is used as a login option?

If yes, is there something which forwards this LDAP query from On Prem to Entra?

Does anybody have a hint for me?

Best Regards

Colin

Re: Remote Access Authentication with Certificate and Group Membership Retrieval

PhoneBoy — Thu, 23 Oct 2025 00:52:19 GMT

The necessary groups are sent as part of the SAML Assertion, which is configured on the Entra ID side.
There is also configuration needed on the Check Point side (the creation of EXT_ID_ objects).
See: https://support.checkpoint.com/results/sk/sk177267

Re: Remote Access Authentication with Certificate and Group Membership Retrieval

C_H — Thu, 23 Oct 2025 06:45:42 GMT

Hi PhoneBoy,

Yes, I know this. But with Personal Certificate there is no SAML Mechanism triggered, since the certificate is presented by the client to the checkpoint and is then checked (is it valid? does the Check Point GW trust the Issuer? etc.). So there is no SAML ongoing in this case.

From my point of view it is not possible to do the Certificate Authentcation with SAML, so you have to relay on Personal Certificate as Login Option.

Best Regards

Colin

Re: Remote Access Authentication with Certificate and Group Membership Retrieval

PhoneBoy — Fri, 24 Oct 2025 01:08:50 GMT

You're correct.
This is mentioned in the documentation under Known Limitations:

SAML authentication cannot be configured with more authentication factors in the same login option. The Machine Certificate Authentication option is supported. To use Multiple Factor Authentication, configure the external Identity Provider to have multiple verification steps. The complexity and number of verification activities depends on the configuration of the Identity Provider.

Re: Remote Access Authentication with Certificate and Group Membership Retrieval

C_H — Fri, 24 Oct 2025 06:57:21 GMT

Hi PhoneBoy,

Thank you for your reply.

Can I ask why this is marked as solution for my questions?

From your answer the only thing confirmed is that SAML can't be used with other login options.

My initial problem (how to get group membership from entra if personal certificate as login option is used) was not solved by that.

Best Regards

Colin

Re: Remote Access Authentication with Certificate and Group Membership Retrieval

PhoneBoy — Fri, 24 Oct 2025 21:00:23 GMT

Is this certificate used to authenticate with Entra ID directly?
If so, we do not get involved in this.

The SAML assertion, received as a result of successful authentication with Entra ID, tells us you are authenticated and what groups you are actually authorized for.
The groups we recognize from SAML must be explicitly configured, as described in the SK/docs linked previously.
The groups passed to us are a function of configuration in Entra ID, with some information provided in the SK/docs linked previously.

Re: Remote Access Authentication with Certificate and Group Membership Retrieval

C_H — Mon, 27 Oct 2025 12:52:50 GMT

No, Entra is not in use, and I think that's where the misunderstanding comes from.

Authentication method is Personal Certificate, where user certificates are stored on the endpoints, the vpn clients present those certificates to the gateway and the gateway checks if the user certificates are valid and if the gateway trusts the CA (correct me please if anything is wrong in my understanding).

So everything is pretty much on prem handled. If the validation of the client certificate is successful one of the next steps is to check the group membership (if the corresponding settings are set in the RemoteAccess VPN Community or in the GW/Cluster Object --> Office Mode).

Now this is where the challenge starts: With on prem AD no problem, a LDAP Request is sent and the GW retrieves the Group membership for the user who is connecting. Now in my case, there is no on prem AD and the group membership info is in Entra ID.

How do I get this group membership info to the checkpoint in this case?

Best Regards

Colin

Re: Remote Access Authentication with Certificate and Group Membership Retrieval

PhoneBoy — Mon, 27 Oct 2025 18:53:40 GMT

If you're using an on-premise method of authentication (personal certificates, in this case), you must use an on-premise method to gather the groups.
This is usually done via LDAP, but can also be done over RADIUS (assuming it's an authentication factor).
Not sure Entra provides these connectors at all.

Otherwise, your only option to use SAML for authentication (where the groups are communicated via the SAML assertion).