https://community.checkpoint.com/t5/Spark-Firewall-SMB/Spark-Entra-ID-SAML-authentication-for-RA-VPN-illustrated/m-p/229496#M11570 <P>FYI, I edited your post to embed the video you've referenced.<BR />Great stuff!</P> Fri, 11 Oct 2024 20:05:31 GMT PhoneBoy 2024-10-11T20:05:31Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Spark-Entra-ID-SAML-authentication-for-RA-VPN-illustrated/m-p/229490#M11569 <P>Gentle reader,</P> <P>&nbsp;</P> <P>The <A title="documentation" href="https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Configuring-Remote-Access-Authentication-Servers.htm" target="_blank" rel="noopener">documentation </A>for SAML <STRONG>authentication</STRONG> is correct and complete. There is also a <A href="https://www.youtube.com/watch?v=4WCGGRegeHE&amp;list=PLMAKXIJBvfAjPa7C36ANIsAv59kmtKFyL&amp;index=3" target="_blank" rel="noopener">video</A> in the <A href="https://www.youtube.com/playlist?list=PLMAKXIJBvfAjPa7C36ANIsAv59kmtKFyL" target="_self">playlist</A> dedicated to the new features introduced in R81.10.15. The steps are identical to those in the <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm" target="_self">maintrain</A> configuration.</P> <P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2F4WCGGRegeHE%3Ffeature%3Doembed&amp;display_name=YouTube&amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D4WCGGRegeHE&amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2F4WCGGRegeHE%2Fhqdefault.jpg&amp;type=text%2Fhtml&amp;schema=youtube" width="200" height="112" scrolling="no" title="Check Point Quantum Spark: VPN Remote Access with SAML Authentication" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></P> <P>To make it easier to follow the procedure (especially in Microsoft Entra ID portal) I illustrated each step with screenshots in the attached doc.</P> <P>Notes:</P> <P>1.&nbsp;Microsoft Entra ID <STRONG>groups</STRONG> could not be used in <STRONG>access policy</STRONG> (neither group authorization based on identity tags available in maintrain Mobile Access and not [yet] in IPSec Remote Access, nor Entra ID as used in IDA on maintrain).</P> <P>There is a nice new feature in R81.10.15 that simplifies access control of remote vpn clients traffic, with a <A href="https://www.youtube.com/watch?v=L_eff4ruRJQ&amp;list=PLMAKXIJBvfAjPa7C36ANIsAv59kmtKFyL&amp;index=5" target="_blank" rel="noopener">video</A></P> <P>2. To force interactive authentication on every VPN connection attempt, regardless of whether a valid token and/or cookies are present, the optional forceAuthn SAML parameter has to be configured (big deal when the feature was introduced in maintrain, now documented by <A href="https://support.checkpoint.com/results/sk/sk180948" target="_blank" rel="noopener">sk180948, How to force SAML authentication for users for each Remote Access VPN connection</A>). On Spark (R81.10.15), I configured the parameter in both&nbsp;</P> <P><FONT face="courier new,courier">/pfrm2.0/opt/fw1/portals/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php</FONT></P> <P>and</P> <P><FONT face="courier new,courier">/pfrm2.0/opt/fw1/portals/CPSamlPortal/phpincs/simplesamlphp/config-templates/authsources.php</FONT></P> <P>3. SAML-based authentication is not available on locally managed Spark for SSL VPN (including SNX) and I'm not sure that it was supposed to be aligned with MT even with centrally managed Sparks.&nbsp;</P> <P>&nbsp;</P> <P>Hope these help.</P> <P>&nbsp;</P> <P>P. S. There is a new, simplified procedure available in R81.10.15 to <A href="https://www.youtube.com/watch?v=sYM86SvPOWI&amp;list=LL&amp;index=2" target="_self">onboard</A> a device to cloud services, that offers the log sorting and querying capabilities of Spark management right in the <STRONG>Enhanced monitoring</STRONG> Spark WebUI and could be very useful especially for starting troubleshooting these new RA VPN features.</P> Sat, 12 Oct 2024 08:03:22 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Spark-Entra-ID-SAML-authentication-for-RA-VPN-illustrated/m-p/229490#M11569 APopisteru 2024-10-12T08:03:22Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Spark-Entra-ID-SAML-authentication-for-RA-VPN-illustrated/m-p/229496#M11570 <P>FYI, I edited your post to embed the video you've referenced.<BR />Great stuff!</P> Fri, 11 Oct 2024 20:05:31 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Spark-Entra-ID-SAML-authentication-for-RA-VPN-illustrated/m-p/229496#M11570 PhoneBoy 2024-10-11T20:05:31Z