This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FtW64
Contributor
‎2025-04-16 06:11 AM
Jump to solution

Modify 'Return URL' in Identity Provider object for SmartConsole SAML SSO

I have successfully setup SmartConsole SAML SSO, using an Identity Provider object in SmartConsole.

When creating this Identity Provider object, the IdP "Return URL" is automatically populated like: "https://192.168.100.241/...", where 192.168.100.241 is the IP address of the management server. You cannot edit this value.

I'd like to replace the IP address with the FQDN of the management server, like "https://sms.mydomain.com/...".

Is this possible? If so, how?

Thanks in advance!

-Frank

0 Kudos
1 Solution

Accepted Solutions
FtW64
Contributor
‎2025-04-17 12:49 AM
Jump to solution

SOLVED

It is in the "R81.20 Quantum Security Management Administration Guide", as explained by CP TAC, although a bit hidden: search for "SAML_IP_OR_NAME".

  1. Edit $CPDIR/tmp/.CPprofile.sh
  2. Add this line to the file:

    SAML_IP_OR_NAME=example.com; export SAML_IP_OR_NAME

  3. Restart the management server (cpstop;cpstart will do)

NOTE:

When creating an Identity Provider object for SmartConsole ("Managing Administrator Access"), the Return URL still shows the IP address. However, when SmartConsole performs the SAML request, it uses the FQDN in the Return URL silently. So, you MUST manually change the IP address for the FQDN when configuring the Return URL on the IdP (EntraID or similar).

 

 

View solution in original post

7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-04-16 11:59 AM
Jump to solution

I could be mistaken, but the only way I know of possibly be able to do that is if you change what I attached and install policy.

Andy

Best,
Andy
Preview file
64 KB
0 Kudos
Nüüül
Advisor
Advisor
‎2025-04-16 11:49 PM
In response to the_rock
Jump to solution

if this would work, it only works on standalone installation. management server objects don´t have VPN Portal settings 🙂

i believe, you will have to change simple-saml config files or something like that. would suggest having TAC involved.

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-17 03:34 AM
In response to Nüüül
Jump to solution

Funny enough, that lab is standalone : - )

Best,
Andy
0 Kudos
FtW64
Contributor
‎2025-04-17 04:12 AM
In response to the_rock
Jump to solution

Note that I'm using the SmartCenter Server as a SAML service provider. I'm not authenticating agains the gateway (or gateways) for Client VPN. Or are you referring to a management server cluster (management HA)?

0 Kudos
FtW64
Contributor
‎2025-04-17 12:19 AM
In response to the_rock
Jump to solution

This is for IA (or Remote Access VPN) IdP. I don't think these settings apply to the management server as a SAML SP.

I have submitted a TAC case and will update when (if) I get a solution.

0 Kudos
FtW64
Contributor
‎2025-04-17 12:49 AM
Jump to solution

SOLVED

It is in the "R81.20 Quantum Security Management Administration Guide", as explained by CP TAC, although a bit hidden: search for "SAML_IP_OR_NAME".

  1. Edit $CPDIR/tmp/.CPprofile.sh
  2. Add this line to the file:

    SAML_IP_OR_NAME=example.com; export SAML_IP_OR_NAME

  3. Restart the management server (cpstop;cpstart will do)

NOTE:

When creating an Identity Provider object for SmartConsole ("Managing Administrator Access"), the Return URL still shows the IP address. However, when SmartConsole performs the SAML request, it uses the FQDN in the Return URL silently. So, you MUST manually change the IP address for the FQDN when configuring the Return URL on the IdP (EntraID or similar).

 

 

the_rock
MVP Platinum
MVP Platinum
‎2025-04-17 03:33 AM
In response to FtW64
Jump to solution

Awesome, thanks for that! For the reference, page 84.

Andy

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events