topic Re: Remote Access VPN with SAML Auth and MEP - Identity Provider Configuration in SASE and Remote Access

Remote Access VPN with SAML Auth and MEP - Identity Provider Configuration

Jonas_Meineke — Tue, 19 Dec 2023 11:20:05 GMT

Hi all,

there's 2 questions for this matter:

a) Is MEP with Identity Provider seamless? Will I only have to login once, or do I have to login to every single gateway again?

b) Is a bit more technical:

We have an environment, where we have a working MEP Configuration for Username/Password.

We're trying to change to Azure AD Auth with SAML / Identity Provider.

I've gone through the AdminGuide for SAML Support

(https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm)

and configured my Identity Provider, added a second Login Option for Identity Provider Usage and gone through the GuiDBedit part.

For MEP, there is only one remark under "Step 4: Configure the Identity Provider as an Authentication Method":

Note - For Remote Access Multiple Entry Point (MEP), you must configure the same Login Option on all Security Gateways that participate in MEP. Make sure to add all the Identity Provider objects (one per Security Gateway) to a dedicated Login Option.

Does this implicitely mean, that we have to create an Identity Provider Object for every single gateway that takes part in the Remote Access community and therefore gets added to the MEP configuration?

And secondary, "add all IDP objects (one per Security Gateway) to a dedicated Login Option", does this mean, that I need one addtional login option with all configured Identity Providers, or do I need a separate one for each Identity Provider, given that I might indeed have to create an IDP for each participating gateway?

The Setup is that everyone connects to the main site (That one got the Identity Provider configured above), and then uses MEP to get to other sites afterwards.

Question is, can other MEP Gateways simply use the already established user verification somehow and I missed that point, or do we have to login to every gateway indeed?

In the current config: After the initial successful SAML login to the main site, the next site comes up and gives us another Identity Provider login which then fails.

Best Regards,
Jonas

Re: Remote Access VPN with SAML Auth and MEP - Identity Provider Configuration

PhoneBoy — Wed, 20 Dec 2023 00:39:57 GMT

Pretty sure MEP does not reuse the existing authentication, even when SAML is not used.
Not sure if you can reuse the Identity Provider for all gateways/clusters unless the redirection URL will terminate on the relevant gateway.
I don't see how this can work for external users.
Which means: you will need to create a new Identity Provider object for each gateway/cluster.

Re: Remote Access VPN with SAML Auth and MEP - Identity Provider Configuration

Jonas_Meineke — Wed, 20 Dec 2023 13:24:42 GMT

I've looked further into this and it is not MEP, but the RA secondary connect, which happens automatically for all gateways that are part of the RemoteAccess community (and is needed in the current setup due to the different EncDoms from different sites).

If this is the design, I guess using multiple gateways for Remote Access and trying to use Identity Provider is kind of scuffed, if there is no option to consolidate that login, if I have to bind one Provider to a single Gateway/Cluster?

If I have to log in to 6-8 different Identity Providers each time I wanna use Client VPN, that's gonna be rather unfeasible after 2 days.

Should I open a case for this? I don't seem to find any real documentation for this usecase.

Re: Remote Access VPN with SAML Auth and MEP - Identity Provider Configuration

PhoneBoy — Wed, 20 Dec 2023 15:17:42 GMT

What you need to do (I believe) is create multiple objects for the same SAML provider with a similar configuration (the Identifier and Reply URL is specific to the gateway terminating the connection).

Even within the same gateway, you currently have to create multiple objects if you are using SAML with, say, Mobile Access Blade and Identity Awareness.
This is a known limitation at present.

In R82, Quantum Gateways will be able to use Identity Providers defined in the Check Point Infinity Portal, allowing customers to centrally manage identities across multiple Check Point products.
This should eliminate this issue.

Re: Remote Access VPN with SAML Auth and MEP - Identity Provider Configuration

CheckPointerXL — Sun, 07 Jan 2024 18:30:00 GMT

hey Jonas,

any news on this?