topic Mobile Access Portal with SAML, questions regarding the policy in SASE and Remote Access

Mobile Access Portal with SAML, questions regarding the policy

796570686578 — Tue, 30 Apr 2024 08:19:38 GMT

Hello everyone,

I am currently working on a PoC for a customer to implement SAML and MFA for their Mobile Access Portal. This part, I was able to get to work in my lab but I am having trouble understanding how to adapt the Mobile Access Policy. This is about the only customer I know using Mobile Access with Application Access via SNX and since they mainly manage it themselves, I am not quite knowledgeable on this topic.

Currently they are using the Legacy Policy in SmartDashboard. From what it seems, users are authenticated to Applications via RADIUS.

Now during the SAML configuration, I had to add an External User Profile named generic* in SmartDashboard and add this profile/user to the group specified as the source in the Mobile Access Policy in SmartDashboard. Without the generic* user in the policy/group, I was not able to authenticate via SAML.

Now this brings up a few questions, since adding the generic* user to every group/rule would allow any user to access any application.

- Do I misunderstand how the policy works? Is there still a way to only allow access to certain applications to certain users?

- I tried to switch to Unified Access Policy but Access Roles using Azure AD are not allowed in a rule with a Mobile Access Application. Is there a workaround?

I'm sure I am missing something here, because it doesn't really make sense to me...

Thank you and best regards

Re: Mobile Access Portal with SAML, questions regarding the policy

PhoneBoy — Tue, 30 Apr 2024 16:41:35 GMT

Access Roles are supported in the Unified Policy per official documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/Mobile-Access-and-Unified-Access-Policy.htm?tocpath=Mobile%20Access%20Authorization%20and%20Access%20Control%7CMobile%20Access%20and%20the%20Unified%20Access%20Policy%7C_____0#Mobile_Access_and_the_Unified_Access_Policy
Where are you seeing it's not supported?

Re: Mobile Access Portal with SAML, questions regarding the policy

796570686578 — Thu, 02 May 2024 11:48:28 GMT

Hey phoneboy,

It's just Azure AD Access Roles that dont work with Mobile Access Applications:

I was finally able to get it to work though, using the following SK: https://support.checkpoint.com/results/sk/sk177267

The youtube video by peter elmer explains it really well. I had to manually edit the manifest file of the application, add the groups there and also create local empty user groups in SmartConsole.

But would have been nice nonetheless if it worked with Azure Access Roles directly

Re: Mobile Access Portal with SAML, questions regarding the policy

PhoneBoy — Thu, 02 May 2024 19:20:58 GMT

Glad you got it working, thanks for sharing!