topic Re: SAML Support for Remote Access VPN in SASE and Remote Access

SAML Support for Remote Access VPN

PhoneBoy — Fri, 19 Apr 2024 14:22:21 GMT

This question has come up a lot on the community.
We now have a formally supported solution that allows integration with ADFS and other SAML-based authentication.
This requires Check Point gateways running (at minimum) the following releases:

R80.40 JHF 114 or above (not supported with Maestro)
R81 JHF 42 or above (not supported with Maestro)
R81.10 JHF 9 or above (not supported with Maestro)
R81.20 (supported with Maestro) and above

The following VPN clients are supported (minimum versions listed):

E84.70 on Windows
E85.30 on macOS
Capsule VPN clients (see sk181494), which requires the following gateway versions:
- R81.10 JHF 43 and above
- R81.20 JHF 113 and above

This solution is NOT currently supported with:

Capsule Workspace
Embedded Gaia/SMB Gasteways

If such support is needed, please open an RFE with your local Check Point office.

You can see the details in the R81.20 Remote Access VPN guide under SAML Support for Remote Access VPN and/or sk172909.

Re: SAML Support for Remote Access VPN

JustTesting — Mon, 03 May 2021 13:25:04 GMT

This is great news! I've been looking for a way to use Azure MFA, but the Windows NPS RADIUS had some caveats where each additional tunnel with secondary connect re-prompted for MFA.

I am curious how this will behave with secondary connect in my environment, where I have SMB firewalls that won't support the new SAML authentication method. The video says at the 5:20 mark that the identity awareness session can be shared with other gateways post-authentication, but does that apply to authentication itself?

Re: SAML Support for Remote Access VPN

PhoneBoy — Mon, 03 May 2021 13:51:28 GMT

That’s a good question.
@AndreiR do you know?

Re: SAML Support for Remote Access VPN

AndreiR — Tue, 04 May 2021 16:12:35 GMT

@PhoneBoy I don't know for sure. Better check with gateway team.

Re: SAML Support for Remote Access VPN

PhoneBoy — Tue, 18 May 2021 14:49:19 GMT

We checked this and confirmed that this will only work where the gateway has exactly the same authentication factor/factors as the realm on the primary gateway.
This is by design.

Re: SAML Support for Remote Access VPN

JustTesting — Tue, 18 May 2021 14:51:36 GMT

Understood, thank you for looking into it!

Re: SAML Support for Remote Access VPN

lullejd — Mon, 28 Jun 2021 06:32:51 GMT

Hi,

Has anyone managed to make this work? Although gateway is upgraded to R80.40 with JHF114 there is still no option on the gateway properties VPN Clients > SAML Portal Settings as stated in the Release notes.

Also on R81, is it yet available?

Thanks

Re: SAML Support for Remote Access VPN

Anat_Bar-Anan — Mon, 28 Jun 2021 07:14:51 GMT

Hi,

thanks for your question.

To be able to configure SAML for VPN RA, you'll need to also upgrade your MGMT to the JHF.

As for R81 - feature is planned to be available in next R81 JHF - currently scheduled for end of July.

Re: SAML Support for Remote Access VPN

lullejd — Mon, 28 Jun 2021 07:20:54 GMT

I have management with R81 latest jumbo hotfix and Gateway R80.40 take 141. I think the management is the problem then. will have to wait for the new JHF of R81

Re: SAML Support for Remote Access VPN

Anat_Bar-Anan — Mon, 28 Jun 2021 09:14:06 GMT

updating that next R81 JHF scheduled to mid-end of August

Re: SAML Support for Remote Access VPN

Paul_Hagyard — Sun, 11 Jul 2021 22:48:15 GMT

This is much nicer than using the Microsoft NPS AzureAD plugin for MFA!

With reference to the PDF in the SK (SAML for Remote Access VPN, 6 June 2021), using UPN rather than email for LDAP matching (pg 12, Multiple Logon Option) is likely to be more successful. Organisations often have external users requiring access, and the UPN for such users will be the required firstname.surname@org.domain but their email address in AD is more often an external domain. In such a scenario uses cannot logon unless the lookup type is set to UPN.

Re: SAML Support for Remote Access VPN

Paul_Hagyard — Sun, 11 Jul 2021 22:53:16 GMT

I will review the client documentation and likely raise a SR, but is there any known way with Endpoint Security standalone to not perform a CRL check on the gateway VPN certificate?

At present we have got this working with the gateway using a default SmartCenter ICA issued VPN certificate. The SmartCenter CA certificate is loaded into the client trusted root certificate store. Everything works fine, but the client complains about being unable to reach the CRL. The SmartCenter uses an internal domain name, so the CA is not resolvable (and is not accessible from the Internet anyway).

Re: SAML Support for Remote Access VPN

PhoneBoy — Mon, 12 Jul 2021 00:25:50 GMT

Without validating the CRL there is no way for the client to know if the remote certificate should be trusted as it could have been revoked.
Even if it is possible (don’t believe it is) it’s not recommended to disable this check.

Re: SAML Support for Remote Access VPN

Paul_Hagyard — Mon, 12 Jul 2021 00:37:36 GMT

Thanks, although it's only the new browser component for SAML doing the CRL check. For non-SAML VPN connections the Endpoint Security client does not complain about being unable to perform a CRL check on the same certificate (e.g. retrieving the site details/policy via HTTPS) - so presumably it is not checking beyond the certificate's CA trust.

Sounds like the easiest option is an external CA cert.

Re: SAML Support for Remote Access VPN

PhoneBoy — Mon, 12 Jul 2021 01:45:49 GMT

That...could be a bug and might be worth a TAC case.

Re: SAML Support for Remote Access VPN

Paul_Hagyard — Mon, 19 Jul 2021 02:45:06 GMT

Hi,

For anyone implementing this with Azure AD and retaining local AD group matching via LDAP for Identity Awareness role-based access, we found it was necessary to modify $FWDIR/conf/identity_awareness_custom_settings.C on the SmartCenter server(see sk147417) and uncomment the line:

#\,

to be simply

Otherwise Identity Awareness fails to match AD user DNs in the format "DN=surname\,firstname@domain" and role-based access does not work. A policy install is required to push the behaviour change to the gateway.

Cheers,

Paul

Re: SAML Support for Remote Access VPN

meeruji — Wed, 04 Aug 2021 05:42:22 GMT

Currently as per sk172909 for SAML Authentication Configuration you require the following:

Check Point Security Gateway running R80.40 Jumbo Hotfix Accumulator Take 114 or higher.
Check Point Security Management running R80.40 Jumbo Hotfix Accumulator Take 114 or higher.
Endpoint Security Client for Windows (starting from version E84.70 build 986102705), or macOS Endpoint Security Client version that can be downloaded here: (Endpoint Security VPN).
The latest Smartconsole Build for R80.40 Build 423 or higher. Without this the portal page won't be visible. Refer to sk165473 for more details.
If your MGMT server is on R81 or R81.10 the Portal Page will not be visible. Both the Gateway and Mgmt Server need to be on R80.40. Integration seems to be only for R80.40 Gateways, Cluster's and VSX currently.

Re: SAML Support for Remote Access VPN

Heath_H — Mon, 16 Aug 2021 18:59:20 GMT

Any updates for this support in R81 (my lab is on R81 for testing purposes) and all the manual steps and specific version requirements make this very difficult for me to test on my production gateways.

Given that it’s been several months since this was first dropped, any updates on some of the limitations (specifically, Identity Sharing - I need to enforce Access Roles on gateways other than my VPN gateways).

And the SK makes a note about SDL doesn’t support SAML, which I completely understand, but does that mean that we can’t use SDL without SAML and still use SAML for user triggered VPN connections?

Finally, what happens if the client isn’t at a version that supports SAML? Do they fallback to another supported mechanism (RADIUS) or do they just completely fail to authenticate?

Re: SAML Support for Remote Access VPN

PhoneBoy — Mon, 16 Aug 2021 19:59:58 GMT

As far as I know, Remote Access SAML will be added to the R81/R81.10 JHF in the coming weeks.
@Royi_Priov can you speak to the Identity Sharing implications here as the release notes for this mention a planning session with pre-sales?

Re: SAML Support for Remote Access VPN

Paul_Hagyard — Mon, 16 Aug 2021 20:28:22 GMT

In regards to role-based access, if you have on-prem AD DCs then just continue using traditional IA for roles (ADQ / Identity Collector). We're matching UPN format SAML logins against ADQ for role-based access, so the same AD roles can be used on any gateway.