https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/149707#M7151 <P>i have the same issue on r81.10 take 45 ,&nbsp;Is there a public SK on this?</P> Mon, 30 May 2022 09:11:38 GMT lrossi89 2022-05-30T09:11:38Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/142690#M7148 <P><STRONG>Hi,</STRONG></P><P>&nbsp;</P><P>We are having a problem now on implementation when using SAML Azure AD authentication. Everything is working - authentication etc. Users can login properly - connectivity is ok.&nbsp;</P><P>My problem is that when we use the access role and choose a specific user / group - the access role is not working and traffic goes thru Clean up rule. Access role works when it is set to "Any Authenticated" but this would not be helpful when there are multiple user with different access. Any help is appreciated - is there a special config or is this a limitation. We are running R81 + JHF 56 (latest)</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Tue, 01 Mar 2022 13:31:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/142690#M7148 support_suppor1 2022-03-01T13:31:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/142945#M7149 <P>Are you sure the application in Azure AD is set up per here?<BR /><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Using-Azure-AD-for-Authorization.htm?Highlight=graph" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Using-Azure-AD-for-Authorization.htm?Highlight=graph</A><BR />The groups needed for Azure AD are retrieved via the Graph API (supported in R81 and above).</P> Thu, 03 Mar 2022 23:42:10 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/142945#M7149 PhoneBoy 2022-03-03T23:42:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/145256#M7150 <P>Had the same&nbsp; issue on R81, login to Azure SAML worked fine&nbsp; but after that&nbsp; ,&nbsp; &nbsp;cleanup rule was used&nbsp; instead&nbsp; of the specific access role policy rule.&nbsp; TAC&nbsp; provided a hotfix and this started working after we applied the hotfix to the gateway and installed the policy.&nbsp; Hotfix will be custom and dependent on your HFA level.&nbsp;&nbsp;</P> Fri, 01 Apr 2022 14:11:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/145256#M7150 Zoran_Filipac 2022-04-01T14:11:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/149707#M7151 <P>i have the same issue on r81.10 take 45 ,&nbsp;Is there a public SK on this?</P> Mon, 30 May 2022 09:11:38 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/149707#M7151 lrossi89 2022-05-30T09:11:38Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/149735#M7152 <P>can you share the&nbsp;SR# number ?</P> Mon, 30 May 2022 14:02:54 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/149735#M7152 lrossi89 2022-05-30T14:02:54Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/161847#M7153 <P>We had same issue. After SAML authentication (Azure AD), Users were not able to access LAN networks. Access role was not matched. We followed below steps to resolve issue.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 398px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18369iF3E73852E07B17E7/image-size/medium?v=v2&amp;px=400" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P> <P>&nbsp;</P> <P>Now I have different problem. I cannot use mobile access application with Azure IDP access role as per sk171557. I am checking if I need to use simple "destination" field to restrict user for specific destination or not.</P> <P>&nbsp;</P> Fri, 11 Nov 2022 09:44:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/161847#M7153 Gaurav_Pandya 2022-11-11T09:44:08Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/161850#M7154 <P>Check this :&nbsp;<STRONG>sk179788&nbsp;<A class="" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk179788&amp;partition=Advanced&amp;product=Remote" target="_blank" rel="noopener">Access Roles are not enforced when using SAML authentication</A></STRONG></P> Fri, 11 Nov 2022 10:42:46 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/161850#M7154 lrossi89 2022-11-11T10:42:46Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/161971#M7155 <P>Hi,</P> <P>Access role issue is already resolved but my concern is how I can use Access role Azure identity with mobile access application to restrict user for certain destination.</P> <P>As per sk171557, we cannot do that</P> <P>&nbsp;</P> Mon, 14 Nov 2022 08:02:35 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/161971#M7155 Gaurav_Pandya 2022-11-14T08:02:35Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/167242#M7156 <P>Through this SK179788 it works, but we are finding an anomaly:</P><P><BR />- We are using Azure AD groups directly, and it seems to work correctly.</P><P>step -&gt; Using Azure AD for Authorization <A href="https://sc1.checkpoint.com/documents/r81/webadminguides/en/cp_r81_centityAWareness_adminguide/topics-idag/using-azure-for-uthorization.htm?highlight=graph" target="_blank">https://sc1.checkpoint.com/documents/r81/webadminguides/en/cp_r81_centityAWareness_adminguide/topics-idag/using-azure-for-uthorization.htm?highlight=graph</A>&nbsp;<BR /><BR /></P><P>- But in a random way sometimes the firewall "not retrieve the correct group from AD Azure" and makes the retrieval from the LOCAL LDAP groups (from local Active Directory), and in this case VPN connections doesn't work because non match the correct AR Azure.</P><P>Then just after an install policy everything recovers and the firewall retrieve the correct information from azure</P><P>Has anyone made this integration, without setting manual groups and works without anomalies?</P> Tue, 10 Jan 2023 10:05:55 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/167242#M7156 lrossi89 2023-01-10T10:05:55Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/167266#M7157 <P>Sounds like a bug and I recommend opening a TAC case.</P> Tue, 10 Jan 2023 13:45:03 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/167266#M7157 PhoneBoy 2023-01-10T13:45:03Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/180778#M7158 <P>&nbsp;</P> <UL> <LI value="4"> <P>Step 1 - d</P> </LI> <LI value="4"> <P>Click <SPAN class="Menu_Options">New Application &gt; Non-gallery application</SPAN>.</P> </LI> </UL> <P>Can we use the pre populated Checkpoint Secure VPN access application or is the specific requirement to create a new non-gallery application? what is the reason.&nbsp;</P> <P>&nbsp;</P> Sat, 13 May 2023 01:10:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/SAML-Azure-AD-Remote-access-Access-Role-policy/m-p/180778#M7158 nflnetwork29 2023-05-13T01:10:57Z