topic Re: Azure SAML for checkpoint web vpn in Mobile

Azure SAML for checkpoint web vpn

rameshm18 — Mon, 02 May 2022 13:50:35 GMT

Hi,

How do we implement Azure SAML SSO for check point mobile VPN?. There are guides available for Remote Access VPN with Azure SAML SSO. But not available for mobile VPN.

Can some one help?.

Thanks,
Ramesh M.

Re: Azure SAML for checkpoint web vpn

_Val_ — Wed, 04 May 2022 14:22:10 GMT

Please specify in details, what you are trying to do, including the version and use and at least some information about the setup

Re: Azure SAML for checkpoint web vpn

_Val_ — Wed, 04 May 2022 14:23:19 GMT

That said, please look into sk171501 to see if the described issue is the one you are having.

Re: Azure SAML for checkpoint web vpn

rameshm18 — Tue, 10 May 2022 10:30:14 GMT

Hi Val,

This is not related to sk171501. There is no guide available for Azure SAML SSO implementation for Mobile Access VPN Portal. How ever i see there is guide available for RA VPN.

In the Azure portal, default gallery based builit in application available for RA VPN and not available for mobile access vpn.

I have created a custom - non gallery application and filled in the SAML settings with Sign on and reply URL. But not sure what to fill in Logout URL. Some how, mobile Access VPN is now working with Azure MFA with SAML SSO. but when i try to log out from Mobile Access portal it says "Signing out from Check Point Mobile does not automatically sign out from your Identity Provider's session." if i close the browser and open the browser and try to relogin, it just logged in without asking MFA. It behaves like that till 60 minutes. after that it becomes normal. Not sure this related to 'logout URL' not filled in the application. dont know how to format the 'Logout URL'.

Refer the attached image. Any advise would be helpful. Thanks

Re: Azure SAML for checkpoint web vpn

DRuser — Tue, 17 Jan 2023 13:08:14 GMT

@rameshm18 , I'm in the same case. Do you find a solution? Thank you in advance for your answer

Re: Azure SAML for checkpoint web vpn

PhoneBoy — Tue, 17 Jan 2023 21:22:32 GMT

It's the same product (thus the same guide).
That assume we're talking about Check Point Mobile installed on Windows (versus Capsule VPN where this is not currently supported).

Re: Azure SAML for checkpoint web vpn

nzmatto1 — Tue, 17 Jan 2023 21:36:41 GMT

The SSO session with the provider remains logged in based on the SSO providers settings. This is a massive benefit of use MFA and SSO. You are logging in on the device with the username / password / MFA. That device retains the authentication based on the SSO setting (one of my clients is 30 days). This means if they reconnect from the same device with the same user within 30 days they will no be re-prompted for anything and the VPN will connect and advise the session has been authenticated by the provider. It's GREAT for them!

Re: Azure SAML for checkpoint web vpn

DRuser — Wed, 18 Jan 2023 09:07:27 GMT

I need to re-authenticate every time.

In Azure, Conditional Access, you can only type a sign-in frequency of 1 Hour.

is there a workaround for my need?

When my client disconnect his VPN, he have the information "your session is keeping in the IDP".

Re: Azure SAML for checkpoint web vpn

Realeboga_Mashi — Wed, 03 Jan 2024 21:46:32 GMT

I have the same issue - I would like that each time a RA VPN Session is terminated, the Azure token must be released\expire immediately so that if another session is established, the whole MFA is (re)initiated.

For me the fact that Azure token is valid for minimum 60minutes is a security "red flag" because the session remains active with the IDP.