https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/156060#M6355 <P>Hi, thanks for the prompt answer. Much appreciated.</P><P>Given this case, would it be possible to configure certificate base authentication for VPN and then use SAML MFA within an authentication rule?</P><P><BR />Thank you.</P><P>Regards,</P> Wed, 31 Aug 2022 09:22:46 GMT Gonza1 2022-08-31T09:22:46Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/155998#M6353 <P>Hello guys,</P><P>I´m pretty new with Checkpoint. I´m working with a customer that needs to accomplish the following:</P><P>Steps:</P><P>1- VPN authentication through certificate.</P><P>2- Client "lands" into a zone where SCV is performed.</P><P>3- If SCV is successfull then, authenticates with AzureMFA.&nbsp;</P><P>As I could see from Kbs, SAML/IDP authentication is not compatible with anything else on same login option, so here comes my concern if the above is doable.</P><P>Also, I could not find any docs where it states the vpn process steps. Is there something as such? Something like "first happens this", then this and so on...</P><P><BR />Thanks in advance for your time and help.</P><P>Regards,</P> Tue, 30 Aug 2022 14:09:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/155998#M6353 Gonza1 2022-08-30T14:09:43Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/156028#M6354 <P>SCV is performed on the client side once the user has authenticated to the VPN successfully.<BR />If the client fails the SCV check they will still remain connected but will only be allowed to communicate with the configured remediation networks.</P> <P>Configuring certificate based authentication and SAML together in the Check Point configuration is not supported.<BR />Review the fourth bullet point below from:&nbsp;<A href="https://downloads.checkpoint.com/dc/download.htm?ID=114551" target="_blank">https://downloads.checkpoint.com/dc/download.htm?ID=114551</A>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 660px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17607iB3D4D8BB1ACC3D1A/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>That said, if AzureAD (or whatever you're using for SAML authentication) supports the desired authentication methods in the desired order, they can be configured there.</P> Tue, 30 Aug 2022 23:02:32 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/156028#M6354 PhoneBoy 2022-08-30T23:02:32Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/156060#M6355 <P>Hi, thanks for the prompt answer. Much appreciated.</P><P>Given this case, would it be possible to configure certificate base authentication for VPN and then use SAML MFA within an authentication rule?</P><P><BR />Thank you.</P><P>Regards,</P> Wed, 31 Aug 2022 09:22:46 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/156060#M6355 Gonza1 2022-08-31T09:22:46Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/156273#M6356 <P>Authentication via Remote Access is generally considered sufficient for Identity Awareness purposes.<BR />However, it's not enabled as an Identity Source by default for Identity Awareness.<BR />So...might work? Don't know for sure.</P> Thu, 01 Sep 2022 23:57:31 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/VPN-Integrate-certificate-SCV-AzureMFA/m-p/156273#M6356 PhoneBoy 2022-09-01T23:57:31Z