topic Re: SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry in SASE and Remote Access

SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

Ave_Joe — Tue, 03 Jun 2025 16:06:02 GMT

Remote Access VPN Setup

The Remote Access VPN community consists of 12 gateways.
Users typically connect to the primary gateway in the U.S. data center, which issues Office Mode IP addresses.
The VPN client utilizes Secondary Connect to reach resources behind other gateways in the community.
All gateways are configured for SAML-based Single Sign-On (SSO) using Microsoft Entra ID.

Issue

When a user accesses a resource behind a Secondary Connect gateway, the VPN client triggers a new SAML authentication flow. This opens the user's default browser and starts the SSO process again.

The repeated SAML prompt confuses users and interrupts their tasks, leading to a frustrating VPN experience and reduced productivity.

Question

Is there a configuration that would allow the VPN client to reuse the initial SAML authentication and avoid triggering a new browser-based authentication prompt when accessing resources behind a Secondary Connect gateway?

Could a single Remote Access identity provider configuration be applied across all 12 participating gateways to streamline the authentication process and eliminate redundant prompts?

Re: SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

PhoneBoy — Tue, 03 Jun 2025 20:50:15 GMT

If you've configured things per either sk180948 or sk182042, you'll need to undo this configuration since the gateway sends an attribute to force reauthentication, which will also apply to Secondary Connect.
However, this creates a situation where if the user is authorized on the machine (i.e. with Entra ID) and the timeout hasn't expired, they will be able to connect to the VPN without authentication.
Whether this works the same way with Secondary Connect is a separate question.

If your environment is complex enough that Secondary Connect is needed, Harmony SASE might be worth exploring.
Not sure if Infinity Identity will help with this use case, but it will definitely centralize the configuration.

Re: SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

Royi_Priov — Wed, 04 Jun 2025 05:21:28 GMT

Hi @Ave_Joe ,

I will start with a disclaimer that I'm not well familiar with VPN internal flows.

However, my assumption is that the issue you are facing is caused due to the fact the SAML configuration in Quantum requires different application on Entra side, and considered as separate "service". It means, each gateway acts as a different service, therefore there is no reuse of the SAML authentication.

In R82, we have introduced a new SAML I/S powered by Infinity Identity. Once you configure the Entra ID integration in Infinity Portal, it is automatically replicated to your Quantum management (prerequisite to this is a trust between the Quantum management and Infinity Portal, under "Infinity Services"). In this scenario, Infinity services are the "service provider" and the gateway consume the SAML authentication result from Infinity.

After explaining this, few notes:

This I/S is currently consumed by Identity Awareness only. There is a planned effort to join VPN clients to this I/S, but I don't know the ETA for this. You are welcome to contact your SE and open RFE to get official answers from the relevant owners.
This I/S will require R82 management and gateway (once step #1 will be finished for VPN clients).

I hope it helps.

Re: SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

PhoneBoy — Wed, 04 Jun 2025 13:27:00 GMT

I wasn't sure if the different "Service Providers" (in SAML terms) would allow credential reuse; thanks for confirming it doesn't.
That suggests @Ave_Joe that your requirement can't be met today with Quantum Security Gateways today.
However it does sound like it will be possible in the future.

Harmony SASE can support this use case today.

Re: SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

Ave_Joe — Mon, 16 Jun 2025 19:59:10 GMT

Oh bother!
I kind of figured that would be the case.

Moving this service to Harmony SASE is not an option as that would require additional licensing which is outside the scope of what is trying to be done at this time.

Cheers!

Re: SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

Ave_Joe — Mon, 16 Jun 2025 20:08:44 GMT

Thank you for the response.
I was hoping there might be a viable solution, but we’ll continue to monitor for new features or updates that could help improve the user experience moving forward.

Re: SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

PhoneBoy — Fri, 27 Jun 2025 21:16:39 GMT

Until we can support this use case with Secondary Connect, it might provide a better user experience to disable Secondary Connect.
Traffic will be tunneled from whatever gateway the user connects to when Secondary Connect is disabled.

See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Secondary-Connect.htm

Re: SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

CheckPointerXL — Tue, 29 Jul 2025 08:05:33 GMT

hey,

any news on this?