topic Re: Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows in SASE and Remote Access

Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows

jarvis_dantsrib — Sat, 13 Jul 2024 01:20:50 GMT

Hello,

I am facing an issue after implementing 2MFA with IDP in RA VPN on Windows with SDL enabled.

Before implementing the second authentication factor, login with SDL worked perfectly, however after implementing 2MFA it is not possible to connect to the VPN because the client makes a redirect to open a kind of plugin and start the IDP screen, that's where it happens the error, for some reason it does not open 2mfa directly on the client screen, it has to consult this plugin first and in my opinion the error occurs because it is not possible to consult the plugin because it is not yet logged into Windows.

If I log on to the machine and try to connect to the VPN, the operation occurs successfully and the 2nd factor opens the screen in the client itself without any problem, however this is the perception that I would like to have in SDL before logging into Windows and I am not having it .

I tried to use the SK https://support.checkpoint.com/results/sk/sk180395 to make some adjustments to the client, but without success, IDP_BROWSER was already enabled as embedded in the client itself, but I think there is some validation operation that it confirms with a third party for it to work, outside the client.

Is it possible for SDL to work with 2MFA with IDPs like Azure, Cisco DUO and others?

Re: Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows

the_rock — Sat, 13 Jul 2024 01:47:29 GMT

I cant open all the attachments, just the 1st one...is the only error negotiation with site failed? Did you try do zdebug on the firewall to see if anything is dropped when this happens?

Andy

Re: Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows

jarvis_dantsrib — Sat, 13 Jul 2024 01:56:43 GMT

Hello the_rock,

These are the images I imported.

I ran zdebug but didn't see any traffic blocks.

Re: Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows

the_rock — Sat, 13 Jul 2024 03:25:07 GMT

If its urgent, I would contact TAC. Otherwise, would run basic vpn debugs.

Andy

Re: Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows

the_rock — Sat, 13 Jul 2024 04:20:13 GMT

Forgot to mention vpn debug steps.

Andy

*****************

vpn debug trunc

vpn debug ikeon

-do the test

vpn debug ikeoff

Look for iked and vpnd files in $FWDIR/log directory

Re: Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows

Alex- — Sat, 13 Jul 2024 08:39:56 GMT

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm?Highlight=secure%20domain%20logon

Known Limitations

Secure Domain Logon (SDL) with Identity Provider is not supported.

Re: Problem opening the 2MFA screen with IDP using Secure Domain Logon (SDL) Windows

the_rock — Sat, 13 Jul 2024 11:59:42 GMT

Never seen that limitation before, thanks @Alex- !