topic Re: Check Point Harmony connect Identity Provider SafeNet(Thales) in SASE and Remote Access

Check Point Harmony connect Identity Provider SafeNet(Thales)

smeny — Thu, 23 Dec 2021 07:20:01 GMT

Hello all,

We currently want to connect the identity provider SafeNet with Check Point Harmony. Unfortunately SafeNet is not listed as a native provider, so we have to use the generic SAML interface.

So far we have not been able to transfer the correct values (groups) to Harmony, which is why no user authentication can be performed.

Do any of you have experience or have even actively integrated SafeNet?

We are grateful for every tip

Greetings Stefan

Re: Check Point Harmony connect Identity Provider SafeNet(Thales)

PhoneBoy — Tue, 28 Dec 2021 20:25:37 GMT

My understanding is that SAML itself isn't used for groups, or at least we're not using it for that.
In Azure AD, for instance, we use the Graph API to pull groups.
A specific integration would likely be an RFE.
@Royi_Priov

Re: Check Point Harmony connect Identity Provider SafeNet(Thales)

Royi_Priov — Wed, 29 Dec 2021 11:46:49 GMT

Hi,

Indeed SafeNet is not listed as one of the vendors in the Harmony Connect IDP wizard, so we need to use the generic option. It means that the users/groups will not be listed while trying to configure rules in the poilcy.

@Keren_Greenblat maybe you can elaborate better about the needed steps to make it work from HC policy point of view?

Re: Check Point Harmony connect Identity Provider SafeNet(Thales)

Keren_Greenblat — Wed, 29 Dec 2021 12:15:19 GMT

Hi,

AFAIK, SafeNet was never tried with generic (I would have known).

also there's no guarantee that it will work.

please try these steps for your configuration:

General SAML IDP - how to configure with customer

Configure the wizard
Be aware that full sync isn’t supported.
On the IDP side use the URL’s from the connectivity page in the idp wizard (2 urls must be configured for Entity ID and reply URL(sso))
Try to configure the following claims:

nameId – email format
‘userId’ – user object id in the IDP.
'First Name' – user first name
'Last Name' – user last name
‘email’ – user email
‘groups’ or “urn:mace:dir:attribute-def:groups” as key, value should be the group name

if this still doesn't work, and it's a deal breaker, I will be able to join for a two hours (maximum) session to try and help.

please note, I had similar session last week for KeyCloak over generic, but after two hours we still couldn't complete relevant configuration.

Such cases are example why it cannot really done online with customer. IDP official support requires developer research that usually takes few days, and therefore closing it in a session with customer is less recommended (therefore I suggest to allocate 2 hours max for that).

Re: Check Point Harmony connect Identity Provider SafeNet(Thales)

Norbert_Bohusch — Thu, 30 Dec 2021 09:28:19 GMT

Hi,

I have already integrated Harmony Connect with Thales STA (Safenet Trusted Access) and it worked. But I tried it only for Harmony Connect Internet Access if I remember correctly.

I don't have it enabled anymore.

Re: Check Point Harmony connect Identity Provider SafeNet(Thales)

smeny — Thu, 30 Dec 2021 09:59:48 GMT

Hi Norbert,

Do you happen to have a screenshot or a small documentation of the values you have stored in the Safenet portal for Check Poitn Harmony?

Happy new Year !!

bye

Stefan

Re: Check Point Harmony connect Identity Provider SafeNet(Thales)

Norbert_Bohusch — Thu, 30 Dec 2021 10:01:18 GMT

Sorry, no, I have only tested it and removed the configuration directly afterwards.

Re: Check Point Harmony connect Identity Provider SafeNet(Thales)

smeny — Wed, 09 Mar 2022 10:25:54 GMT

Hi All,
we have managed to connect Safenet Thales to the Check Point Hamony Connect Cloud via genric SAML. attached you will find the screenshots of the configuration we created in the Safnet Thales portal. It is also important that the groups have to be created manually.

Just for Info, if somebody also want to use it

bye

Stefan