https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/185149#M4776 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;I tried what you said and managed to get this working on R81.20. Here are the steps if any one else wants to try it:</P><P>1) In Smart Dashboard, changed the external generic* profile authentication method from SecurID to Undefined</P><P>2) Then I created two authentication schemes for the VPN clients; one for SecurID and the second for Azure Identity Provider</P><P>3) The user can manually select the authentication in the Endpoint client and connect successfully to the chosen method</P><P>Thanks!</P> Thu, 29 Jun 2023 09:06:31 GMT tmnetsec 2023-06-29T09:06:31Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/184656#M4774 <P>Currently we have a MFA solution deployed using SecurID and this uses the external generic* authentication profile which has the SecurID option selected.&nbsp;</P><P>I am now doing a PoC for Checkpoint VPN clients using SAML and Azure MFA as per <A href="https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/125833/FILE/CP_R81.20_RemoteAccessVPN_AdminGuide.pdf" target="_blank">Remote Access VPN R81.20 Administration Guide (checkpoint.com)</A></P><P>The guide says that the SAML Identity Provider needs an external generic* authentication profile as well.&nbsp;Can I change the authentication scheme in the existing generic* profile to Undefined that will allow the users to connect either using SecurID or Identity Provider?&nbsp; Current options in the drop down in the authentication tab are undefined/SecurID/Identity Provider/RADIUS/etc. Using the multiple authentication options for the VPN client, the plan is to provide the VPN user the option to select SecurID or Azure MFA to connect to the VPN.</P><P>Is this possible with a single generic* external authentication profile?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 23 Jun 2023 16:09:11 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/184656#M4774 tmnetsec 2023-06-23T16:09:11Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/184827#M4775 <P>I'm fairly certain changing this to Undefined will break SecurID.<BR />I'm not certain if SAML requires the setting in generic* to actually be "Undefined" or just that it merely exist.<BR />If the latter, then it should work for both, but I'm not confident that it will work/be supported.</P> Mon, 26 Jun 2023 17:14:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/184827#M4775 PhoneBoy 2023-06-26T17:14:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/185149#M4776 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;I tried what you said and managed to get this working on R81.20. Here are the steps if any one else wants to try it:</P><P>1) In Smart Dashboard, changed the external generic* profile authentication method from SecurID to Undefined</P><P>2) Then I created two authentication schemes for the VPN clients; one for SecurID and the second for Azure Identity Provider</P><P>3) The user can manually select the authentication in the Endpoint client and connect successfully to the chosen method</P><P>Thanks!</P> Thu, 29 Jun 2023 09:06:31 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/185149#M4776 tmnetsec 2023-06-29T09:06:31Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/185167#M4777 <P>Only caveat I see here is that you need to make sure you're not using the "legacy" (defined on user method) option.<BR />Glad it works, however. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 29 Jun 2023 13:39:27 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Using-one-external-user-profile-for-two-different-MFA/m-p/185167#M4777 PhoneBoy 2023-06-29T13:39:27Z