topic Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO in SASE and Remote Access

Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

Heath_H — Fri, 01 Oct 2021 14:31:05 GMT

I'm trying to put web apps in Mobile Access that leverage SAML based SSO (we use Okta, but it's the same for any SAML SSO provider).

The challenge is, that the application redirects to the SAML IdP just fine, but when the IdP redirects back to the relying party (SP), it is using the configured Relying Party URL. So we need to send the IdP traffic through Mobile Access in order for MAB to be able to rewrite those URLs as they contain the SAML assertion that needs to go to the SP.

I have tried adding the SAML IdP URL as a web application and including it in the rules. This almost works, but it seems that the URL rewriting code is either not able to or just isn't updating the SRI in the URL causing the browser to not load it as the SRI value doesn't match the rewritten URL.

I had a TAC case opened with my Diamond Engineer (6-0002161253), but it got closed in the transition from one engineer to another because the debugs that I had provided to the case got lost and I didn't want to go through an gather debugs all over for something that I clearly documented as an issue with the MAB URL rewrite.

I wanted to ask the community if anyone had been able to successfully add a web application to MAB that used SAML authentication and, if so, now.

Thanks,

heath

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

PhoneBoy — Tue, 05 Oct 2021 00:26:52 GMT

This may not be supported.
@MaksimBahunou can you confirm?

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

MaksimBahunou — Tue, 05 Oct 2021 06:42:33 GMT

@PhoneBoy , you are right. Such configuration is not supported.

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

Heath_H — Tue, 05 Oct 2021 11:59:10 GMT

So what is the answer for that situation as more and more applications are leveraging SSO, including internal ones. Further, SRI is a security measure and I only see it's use increasing in web-based applications.

Is the recommendation to move to something like an F5 in a DMZ that better handle URL rewriting for internal web applications coupled with SSO and MFA and just avoid the need for an SSL VPN entirely?

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

PhoneBoy — Wed, 06 Oct 2021 16:11:36 GMT

We have a different solution that handles this use case better called Harmony Connect.
The deployment/management model is a bit different, but it achieves the same result.

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

Daniel_Kavan — Tue, 30 Jul 2024 18:11:50 GMT

Is this still the case today? Harmony Connect is recommended over sslvpn with SAML and web apps?

It's odd that saml sso is supported for snx, Endpoint Security fat clients but not web apps. It's not supported with mobile access portal or the identity awareness browser portal? I'll check out the harmony connect, it looks like its a solution with the infinity portal. Can it it be used to access on premise resources?

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

PhoneBoy — Tue, 30 Jul 2024 18:30:43 GMT

Since that post was made, Harmony SASE is now the solution.
The Mobile Access Portal itself supports SAML authentication (has since R80.40).

Are you talking about a backend app (accessible via the MAB frontend) that requires SAML authentication?

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

Daniel_Kavan — Tue, 30 Jul 2024 18:33:49 GMT

TAC just closed my case referencing this post, that SAML authentication wasn't supported for MAB web applications. No, I don't need SAML for the backend apps, I'm just trying to get to them!

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

PhoneBoy — Tue, 30 Jul 2024 19:09:49 GMT

The root post for this relates to backend apps that require SAML authentication to access.
Meanwhile, the frontend of MAB very much supports SAML authentication.
It's even in the documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/SAML-Identity-Provider-Mobile-Access.htm?Highlight=saml

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

Wolfgang — Fri, 27 Mar 2026 06:35:05 GMT

Does the same problem still exists ?

We want to access an web-application via MobileAccessPortal which does the authentication via SAML. Authentication to the MOB portal itself via SAML is working fine but access to the published application not.

Re: Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

Ingard — Fri, 27 Mar 2026 16:47:00 GMT

👍