Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
smeny
Participant

Check Point Harmony connect Identity Provider SafeNet(Thales)

Jump to solution

Hello all,

We currently want to connect the identity provider SafeNet with Check Point Harmony. Unfortunately SafeNet is not listed as a native provider, so we have to use the generic SAML interface.

So far we have not been able to transfer the correct values (groups) to Harmony, which is why no user authentication can be performed.

Do any of you have experience or have even actively integrated SafeNet?

We are grateful for every tip

Greetings Stefan

 

0 Kudos
1 Solution

Accepted Solutions
smeny
Participant

Hi All,
we have managed to connect Safenet Thales to the Check Point Hamony Connect Cloud via genric SAML. attached you will find the screenshots of the configuration we created in the Safnet Thales portal. It is also important that the groups have to be created manually.

Just for Info, if somebody also want to use it

bye

Stefan

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

My understanding is that SAML itself isn't used for groups, or at least we're not using it for that.
In Azure AD, for instance, we use the Graph API to pull groups.
A specific integration would likely be an RFE.
@Royi_Priov 

0 Kudos
Royi_Priov
Employee
Employee

Hi,

Indeed SafeNet is not listed as one of the vendors in the Harmony Connect IDP wizard, so we need to use the generic option. It means that the users/groups will not be listed while trying to configure rules in the poilcy.

@Keren_Greenblat maybe you can elaborate better about the needed steps to make it work from HC policy point of view?

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Keren_Greenblat
Employee
Employee

Hi,

 

AFAIK, SafeNet was never tried with generic (I would have known).

also there's no guarantee that it will work.

please try these steps for your configuration:

 

General SAML IDP - how to configure with customer

 

  1. Configure the wizard
  2. Be aware that full sync isn’t supported.
  3. On the IDP side use the URL’s from the connectivity page in the idp wizard (2 urls must be configured for Entity ID and reply URL(sso))
  4. Try to configure the following claims:
  • nameId – email format
  • ‘userId’ – user object id in the IDP.
  • 'First Name' – user first name
  • 'Last Name' – user last name
  • ‘email’ – user email
  • ‘groups’  or “urn:mace:dir:attribute-def:groups” as key, value should be the group name

 

if this still doesn't work, and it's a deal breaker, I will be able to join for a two hours (maximum) session to try and help.

please note, I had similar session last week for KeyCloak over generic, but after two hours we still couldn't complete relevant configuration.

Such cases are example why it cannot really done online with customer. IDP official support requires developer research that usually takes few days, and therefore closing it in a session with customer is less recommended (therefore I suggest to allocate 2 hours max for that).

0 Kudos
Norbert_Bohusch
Advisor

Hi,

I have already integrated Harmony Connect with Thales STA (Safenet Trusted Access) and it worked. But I tried it only for Harmony Connect Internet Access if I remember correctly.

I don't have it enabled anymore.

 

0 Kudos
smeny
Participant

Hi Norbert,

Do you happen to have a screenshot or a small documentation of the values you have stored in the Safenet portal for Check Poitn Harmony?

Happy new Year !!

bye

Stefan

0 Kudos
Norbert_Bohusch
Advisor

Sorry, no, I have only tested it and removed the configuration directly afterwards.

0 Kudos
smeny
Participant

Hi All,
we have managed to connect Safenet Thales to the Check Point Hamony Connect Cloud via genric SAML. attached you will find the screenshots of the configuration we created in the Safnet Thales portal. It is also important that the groups have to be created manually.

Just for Info, if somebody also want to use it

bye

Stefan

0 Kudos