https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202249#M4229 <P>Can you maybe send some screenshots of the rule in question, as well as groups referenced and the log showing that access? I think that would help us...please blur out any sensitive info.</P> <P>Best,</P> <P>Andy</P> Thu, 04 Jan 2024 20:43:41 GMT the_rock 2024-01-04T20:43:41Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202237#M4228 <P>Hey,</P><P>I have a problem now on implementation when using SAML Azure AD authentication. Everything is working - authentication etc. Users can login properly - connectivity is ok.&nbsp;</P><P>The problem is that from the moment I added groups to the cp application in azure, even if there is no rule - the authorized users have access to all the networks. If they are restricted by a certain rule they still have access to all the networks, and the rule not working. Does anyone have an idea?</P><P>&nbsp;</P><P>Thanks to those who answered!&nbsp;</P> Thu, 04 Jan 2024 18:09:12 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202237#M4228 Refaeliko 2024-01-04T18:09:12Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202249#M4229 <P>Can you maybe send some screenshots of the rule in question, as well as groups referenced and the log showing that access? I think that would help us...please blur out any sensitive info.</P> <P>Best,</P> <P>Andy</P> Thu, 04 Jan 2024 20:43:41 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202249#M4229 the_rock 2024-01-04T20:43:41Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202258#M4230 <P>You've created the necessary groups in SmartConsole, correct?<BR /><A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm</A>&nbsp;<BR />You've added those groups to the relevant Access Role objects, correct?</P> Thu, 04 Jan 2024 22:37:39 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202258#M4230 PhoneBoy 2024-01-04T22:37:39Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202260#M4231 <P>Of course&nbsp;</P> Thu, 04 Jan 2024 22:51:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202260#M4231 Refaeliko 2024-01-04T22:51:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202261#M4232 <P>This is exactly the point that the rule has no effect on the Azure users. Even if there is no rule on the azure users - all networks are open for these users. Even if there is a rule that blocks it, everything is still open. On the other hand, Legacy users work according to the rules. There was one case that stopped the access and it was that I created a rule that blocks 'all users' and then everything was blocked.</P><P>&nbsp;</P><P>If the screenshots are still important to you - I will send them.</P> Thu, 04 Jan 2024 23:04:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/202261#M4232 Refaeliko 2024-01-04T23:04:57Z