Re: Is SAML support available in r80.10?

Vladimir · ‎2017-11-11

Hi.

I was reading the sk98811 and tried to lookup same feature in r80.10, but no luck.

Any ideas where to look for it will be appreciated.

PhoneBoy · ‎2017-11-11

It is not currently supported in R80.x.

Mahipal_Singh · ‎2018-01-29

any roadmap?

Also if customer have AD server in Azure and using ADFS, can we have an integration ready with Azure ADFS?

PhoneBoy · ‎2018-01-29

I believe there is roadmap for both items, but no dates to share at this time.

Michael_Massa · ‎2019-03-25

Is there roadmap info for SAML in R80.20/.30?

PhoneBoy · ‎2019-03-25

It will most likely be a future version.

Heath_Hendricks · ‎2020-05-13

Two years after this question was first asked, and still nothing formal on Roadmap or expected version of code? It's not in R80.30 or R80.40.

The challenge is that while RADIUS works, it precludes customers for using any U2F/FIDO2 style MFA tokens, which are more secure than traditional OTP based tokens. The only secure option for customers at present is an MFA solution that supports Push notification, but that requires a smart phone with the app and available mobile phone data service. There are situations where phones are not allowed (manufacturing floors, for example) or where you don't have mobile coverage but would still have Internet (wired, dial-up, etc.). Additionally, there are situations where a user might not have a mobile phone or only have a personal one that doesn't support the necessary mobile app and you need to deploy a hardware token to the user or use a hardware token as a backup to the mobile app.

PhoneBoy · ‎2020-05-13

There is SAML support in R80.40 for Identity Awareness specifically.
See: https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Identity-Awareness-using-Azure-AD...
This has not made its way into the Remote Access clients yet.

Heath_Hendricks · ‎2020-05-14

While interesting, the remote access client is where it's really valuable. It's ultimately a matter of priorities, I guess. Other vendors have had SAML support in their clients for years.

To me, being unable to support U2F as an MFA token is a big miss for a company that prides itself on being on the leading edge of security.

It pains me to say it, but Check Point has really paid little attention to remote access security for the past 4-5 years. Even the Mobile Access SSL-VPN is very long in the tooth. Hotfix after hotfix just to be able to use it on modern systems and browsers. And not even included in the JHF, but as special MABDA hotfixes that required a reboot of a firewall to install. Finally showing up in R80.40.

It's just my personal opinion, but it feels like Check Point is just chasing butterflies and not paying enough attention to the fundamentals.

PhoneBoy · ‎2020-05-14

Adding SAML support to the VPN clients is not in the near-term plans.
I would encourage you to discuss the requirements with your local Check Point office, which can help promote this.

Paulo_Rosa · ‎2020-07-15

I think is important for suport of new solutions like OKTA, DUO etc.

Cisco , Fortinet & Palo Alto already have this feature available.

PhoneBoy · ‎2020-07-15

Believe this is now planned for R81.
Encourage you to get involved with the EA.

Heath_Hendricks · ‎2020-07-15

I'll certainly check out the EA, but we are still working through the planning for the R80.40 upgrade. Is there an overall timeline for when R81 will go GA? I assume that SAML support in the client will likely not make the first few GA releases given the late inclusion of it in the plan.

What is the best path to get confirmation on the roadmap and timing for this feature in R81? Through my account team?

PhoneBoy · ‎2020-07-15

Plan is end of September, however the more EA participants we get, the faster it can release.
More details about R81 EA here: https://community.checkpoint.com/t5/Product-Announcements/R81-EA-Program-Production/ba-p/86945
If you need a formal commitment for a particular feature, your best bet is your local account team.