topic Re: Keycloak - Browser-Based authentication for VPN users in SASE and Remote Access

Keycloak - Browser-Based authentication for VPN users

PCAILLE — Tue, 18 Jun 2024 14:05:50 GMT

Hello,

We currently want to enable MFA for our partners connected via IPsec tunnel.

To achieve this, we have an IAM (Keycloak) that we want to use to redirect partners, allowing them to access certain resources.

I found the following documentation on configuring Keycloak to authenticate user accounts for access to the SmartConsole: https://community.checkpoint.com/t5/Management/Keycloak-SAML-Authentication-for-SmartConsole/td-p/183797

Keycloak is configured as described in the above documentation (custom client scope) and as an Identity Provider for Browser-Based Authentication (cf. attached screens CHKP_config1 and 2)

What we are looking for is the remaining configuration needed to enable MFA. Specifically:

What do we have to do to redirect VPN partners to the Keycloak Portal?
Which source criteria in Security Policies (e.g., sources to target, Identity tags, Access Roles, User Groups) need to be set?

Additionally, are there any other configuration steps required ?

Thanks,

Regards,

Thibaut

Re: Keycloak - Browser-Based authentication for VPN users

PhoneBoy — Tue, 18 Jun 2024 22:37:22 GMT

If your intention is to use Keycloak to authenticate Remote Access users, you will have to create another SAML provider (i.e. you cannot reuse your existing one) and follow the relevant steps.

Re: Keycloak - Browser-Based authentication for VPN users

the_rock — Tue, 18 Jun 2024 23:33:30 GMT

Hey Thibaut,

I agree with what Phoneboy said. Just follow below steps (youtube video by Peter Elmer is super helpful)

Andy

https://support.checkpoint.com/results/sk/sk172909

https://www.youtube.com/playlist?list=PLBfjYlNj4w1vJJBCdwJCAta4kvxI0t0Fb (part 4)

Re: Keycloak - Browser-Based authentication for VPN users

PCAILLE — Wed, 19 Jun 2024 06:22:33 GMT

Actually, the Keycloak provider is not currently used for any user authentication (we only followed the documentation part that focuses on the Keycloak configuration). We would like to set up authentication only for Remote Access users and not for SmartConsole access as described in the documentation.

Re: Keycloak - Browser-Based authentication for VPN users

the_rock — Wed, 19 Jun 2024 10:14:39 GMT

Did you follow the links I sent?

Andy

Re: Keycloak - Browser-Based authentication for VPN users

Daniel_Kavan — Mon, 22 Jul 2024 14:56:44 GMT

Also, when we say Remote Access VPN users, that includes support for SSLVPN users too right? Not just the fat endpoint security client? RE: SAML Support for Remote Access VPN (checkpoint.com)

Re: Keycloak - Browser-Based authentication for VPN users

PhoneBoy — Mon, 22 Jul 2024 15:49:46 GMT

I assume it will work if invoked via MAB portal, which supports SAML auth.

Re: Keycloak - Browser-Based authentication for VPN users

Daniel_Kavan — Mon, 22 Jul 2024 16:38:41 GMT

It doesn't look like it. In the known limitations section at the bottom of SAML Support for Remote Access VPN (checkpoint.com), it says

This feature supports only IPsec VPN

clients.

Re: Keycloak - Browser-Based authentication for VPN users

PhoneBoy — Mon, 22 Jul 2024 18:32:19 GMT

Appears to be supported in Unified Policy mode: https://support.checkpoint.com/results/sk/sk170775

Re: Keycloak - Browser-Based authentication for VPN users

Daniel_Kavan — Sun, 28 Jul 2024 18:59:53 GMT

After spending a couple of days on this, I'm still spinning my wheels.

SAML Support for Remote Access VPN (checkpoint.com)

RE: sslvpn web browser (not Endpoint client)

I have mobile access running in unified mode configured now. I login with the nice keycloak icon on the CP portal (on the keycloak server it says there is an active session), however I get re-directed back. to the check point portal Login page and get the message User is unauthorized. I have a role set up that includes my EXT_ID_keycloak group. It feels like I'm close but no cigar. I'm going to re-read the tags and group attributes.

RE: SAML Support for Remote Access VPN (checkpoint.com) in the section "if you use an on-premises Active Directory (LDAP)

We have AD on prem, but we aren't using it with our Keycloak / SAML set up, so when directions say to do A if you have AD and if you don't do B, I'm not sure which way to go.

Re: Keycloak - Browser-Based authentication for VPN users

PhoneBoy — Mon, 29 Jul 2024 12:08:47 GMT

If the SAML assertion contains the relevant groups and you've configured the EXT_ID_ groups, you shouldn't need LDAP.

Re: Keycloak - Browser-Based authentication for VPN users

Daniel_Kavan — Mon, 29 Jul 2024 13:19:01 GMT

Thanks, yes I have the EXT_ID_Test set which matches the Test group on keycloak. I have a role_based rule in my unified policy with a newly created web application. However, after I login - I get User is unauthorized. I wonder if the username has to be unique to any internal users. I'm going to try a unique username today. Update - a unique username didn't help. User is unathorized... I'm testing with sslvpn web apps, and not from a fat client and not snx. I'm not even getting to the screen where I connect with SNX. I haven't seen any documentation to convince me that mobile access portal can support SAML with no SNX or fat client. IOW, I'm trying to login with the edge browser to the portal.

Re: Keycloak - Browser-Based authentication for VPN users

PhoneBoy — Mon, 29 Jul 2024 18:23:03 GMT

The MAB portal should support SAML without using SNX.
My guess is you'll need TAC to help troubleshoot what's happening in the SAML Assertion.