topic Re: Remote Access VPM and SAML with Entra ID in SASE and Remote Access

Remote Access VPN and SAML with Entra ID

Jakub132620 — Tue, 09 Dec 2025 15:43:32 GMT

Dear Community,

I have security gateway 9000 series with 81.20 version. Our users authenticating to remote access VPN via SAML (Entra ID).

Auth works fine, but we facing problem with Access Roles and policies. I can see source user in logs but traffic didin't match to rule with access role where user account is present.

We have policies with Access Role and in this object are user form Entra ID.

In Entra we have two applications, first from gallery "Checkpoint Remote Secure Access VPN" for SAML auth, second custom APP used as Azure AD object in SMS.

Main problem is situation where we have rule with access role and this access role have user account form Azure AD, but traffic from user didin't hit expected rule and goes to clean up rule.

To integrate Remote Access VPN and Entra ID throught SAML we followed this video https://www.youtube.com/watch?v=yZVB3sJ3fZ8

We done almost everything form this post https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-and-EntraID-Group-Authorization/td-p/245325

In one access role we have one user, but in feature we will be adding groups. In logs i can see source user in format name@domain

Does anyone know what the potential problem could be ?

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 01:00:01 GMT

Are you able to attach a screenshot of the rule? Please blur out any sensitive data.

Re: Remote Access VPM and SAML with Entra ID

Ruan_Kotze — Tue, 09 Dec 2025 07:01:53 GMT

Are you utilising on-prem AD as well or pure Entra?

Re: Remote Access VPM and SAML with Entra ID

Jakub132620 — Tue, 09 Dec 2025 10:54:51 GMT

Hi,

screenshots od rule and acces role is below

Re: Remote Access VPM and SAML with Entra ID

Jakub132620 — Tue, 09 Dec 2025 10:55:19 GMT

Hi we using on-perm AD and Entra ID

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 11:46:07 GMT

Are there any hits on that rule at all?

Re: Remote Access VPM and SAML with Entra ID

Jakub132620 — Tue, 09 Dec 2025 11:49:11 GMT

Not now, hits was when i don't have access role with user form AD in source. This is main problem. I successfuly auth to VPN via SAML, but traffic don't hit my rule.

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 11:52:10 GMT

Do you see anything when you run pdp monitor user and then that username? If not, then thats your issue. However, if you do see results, maybe try disable rule, install policy-re-enable, install again, test.

Re: Remote Access VPM and SAML with Entra ID

Jakub132620 — Tue, 09 Dec 2025 12:07:32 GMT

Below output drom pdp command executed on firewall

I tried your suggestion but without effect. In my opinion user in access role is not mapping to user from VPN authentication. But i don't know why.

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 12:30:45 GMT

I think I know why. I saw somewhere name has to start with ext and that is a requirement. let me see if I can find it.

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 12:36:12 GMT

@Jakub132620 Sorry my bad, name does not have to start with that, but it seems it should match with what you have on Azure side, so can you give it same name that starts with aad?

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 12:41:33 GMT

Also, make sure to follow these:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Using-Azure-AD-for-Authorization.htm

Re: Remote Access VPM and SAML with Entra ID

Jakub132620 — Tue, 09 Dec 2025 13:16:16 GMT

I read the article you linked to. However, there's one point I don't understand. In the "Configuration in Microsoft Azure Portal" section, we create a custom application for downloading users.

My application was created according to point 1. However, I'm having trouble with point 2.

When I go to the Single Sign-ON tab in my application and select SAML, I can't select specific claims because the first step in the application requires configuring the Basic SAML configuration section. I configured the Basic SAML configuration section in the Checkpoint Remote Secure Access VPN application from the gallery, which is used for VPN authentication via SAML.

Re: Remote Access VPM and SAML with Entra ID

Jakub132620 — Tue, 09 Dec 2025 13:17:42 GMT

How can i check this ?

In Entra i can see the same user.principalname as in on-prem AD

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 13:18:11 GMT

Mind pasting part you are referring to?

Re: Remote Access VPM and SAML with Entra ID

Jakub132620 — Tue, 09 Dec 2025 13:24:48 GMT

Configuring SAML as a Single Sign-On for your Azure application

Click on Home and select Azure Active Directory from the menu.
Click on Enterprise applications and go to All applications.
Select your application.
The application Overview window opens.
Click Single Sign-On.
Select SAML as the Single Sign-On method.
In the Set up Sign-On with SAML window, go to the User Attributes & Claims section and click the pencil icon to edit the claims.
The User Attributes & Claims window opens.
In the Required claim section, click Unique User Identifier (Name ID).
In the Manage claim window:
- Attribute option - Select.
- Source Attribute drop-down menu - Select user.localuserprincipalname.
Click Save to save the user claims, then close the window.
Back on the SAML Signing Certificate page, go to the Federation Metadata XML file and click Download.
The Federation Metadata XML is downloaded.

I can't set the appropriate claim because, as I wrote above, the first step in the application requires configuring the Basic SAML configuration section. I configured the Basic SAML configuration section in the Checkpoint Remote Secure Access VPN application from the gallery, which is used for VPN authentication via SAML.

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 13:26:22 GMT

I see. That link is what we always give to customers if there is an issue, though we help them with the setup. Might be worth opening TAC case then.

Re: Remote Access VPM and SAML with Entra ID

ishuyell — Tue, 09 Dec 2025 15:04:27 GMT

In SmartConsole, create an internal User Group object with this name (case-sensitive, spaces not supported):

EXT_ID_<Name_of_Role>

For example, for a role in the Identity Provider's interface with the name my_group, create an internal User Group object in SmartConsole with the name EXT_ID_my_group.

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 15:28:51 GMT

Right, I recall seeing that, but cant find official documentation where it states to do so...

Re: Remote Access VPM and SAML with Entra ID

the_rock — Tue, 09 Dec 2025 15:36:25 GMT

Just spoke with a colleague and he said thats how he did it for a customer and it did work, was not in any doc nesessarily.