This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gacki
Participant
Monday

Check Point VPN Remote Access + Azure AD – LDAP Groups Not Assigned

Hi all,

I'm running into an issue with Check Point Remote Access VPN authentication via Azure AD (SAML). Users can successfully authenticate and establish a VPN session, but they are always assigned to the default "All Users" group. The LDAP groups from Active Directory are not being applied, even though the users are members of the appropriate AD groups (e.g., VPN_Users_AD).

 

  • Remote Access VPN is working with Azure AD / SAML authentication

  • On the Check Point Gateway:

    • Identity Awareness is enabled

    • Identity Collector is installed and shows connected (DCs, users, etc.)

    • LDAP Account Unit is configured and working (can browse AD users/groups)

  • Identity Sources include Remote Access and Identity Collector

    What else can I check to ensure that LDAP group membership from AD is correctly assigned to users logging in via Remote Access VPN (Azure AD)?

    Is there a known limitation with SAML-based logins and LDAP group resolution?

    Thanks in advance for any insights or suggestions!

 

0 Kudos
3 Replies
delToro1
Contributor
Monday

Hello! Did you create the specific App role in Azure? After that, you have to create a local group following the EXT_ID_<role_name>

 

 

azure_ad.png

azure_ad_4.png

azure_ad_2.png

BR

0 Kudos
Gacki
Participant
Monday
In response to delToro1

In the Remote Access VPN configuration, I see user groups like:

  • EXT_ID_Administradores_VPN_CheckPoint

  • EXT_ID_VPN_CheckPoint

These are listed under Participant User Groups (see screenshot).

Are these groups directly mapped to Azure Entra ID (Azure AD) groups?
Or are they just internal Check Point objects that need to be manually linked to LDAP or SAML attributes?

Trying to understand if these are automatically synced from Azure, or if I need to create and manage the mapping myself.

0 Kudos
delToro1
Contributor
Monday
In response to Gacki

These are local groups, that are mapped with de EntraID groups. See the step 6 in the documetation:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

azure_ad_5.png

On the other hand, you have to configure the SAML attribute "group_attr" for the mapping

azure_ad_7.png

 BR

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events