Hi PhoneBoy,

Yes, I know this. But with Personal Certificate there is no SAML Mechanism triggered, since the certificate is presented by the client to the checkpoint and is then checked (is it valid? does the Check Point GW trust the Issuer? etc.). So there is no SAML ongoing in this case.

From my point of view it is not possible to do the Certificate Authentcation with SAML, so you have to relay on Personal Certificate as Login Option.

Best Regards

Colin

You're correct.
This is mentioned in the documentation under Known Limitations:

SAML authentication cannot be configured with more authentication factors in the same login option. The Machine Certificate Authentication option is supported. To use Multiple Factor Authentication, configure the external Identity Provider to have multiple verification steps. The complexity and number of verification activities depends on the configuration of the Identity Provider.

Hi PhoneBoy,

Thank you for your reply.

Can I ask why this is marked as solution for my questions?

From your answer the only thing confirmed is that SAML can't be used with other login options.

My initial problem (how to get group membership from entra if personal certificate as login option is used) was not solved by that.

Best Regards

Colin

Is this certificate used to authenticate with Entra ID directly?
If so, we do not get involved in this.

The SAML assertion, received as a result of successful authentication with Entra ID, tells us you are authenticated and what groups you are actually authorized for.
The groups we recognize from SAML must be explicitly configured, as described in the SK/docs linked previously.
The groups passed to us are a function of configuration in Entra ID, with some information provided in the SK/docs linked previously.

No, Entra is not in use, and I think that's where the misunderstanding comes from.

Authentication method is Personal Certificate, where user certificates are stored on the endpoints, the vpn clients present those certificates to the gateway and the gateway checks if the user certificates are valid and if the gateway trusts the CA (correct me please if anything is wrong in my understanding).

So everything is pretty much on prem handled. If the validation of the client certificate is successful one of the next steps is to check the group membership (if the corresponding settings are set in the RemoteAccess VPN Community or in the GW/Cluster Object --> Office Mode).

Now this is where the challenge starts: With on prem AD no problem, a LDAP Request is sent and the GW retrieves the Group membership for the user who is connecting. Now in my case, there is no on prem AD and the group membership info is in Entra ID. 

How do I get this group membership info to the checkpoint in this case?

Best Regards

Colin

If you're using an on-premise method of authentication (personal certificates, in this case), you must use an on-premise method to gather the groups.
This is usually done via LDAP, but can also be done over RADIUS (assuming it's an authentication factor).
Not sure Entra provides these connectors at all.

Otherwise, your only option to use SAML for authentication (where the groups are communicated via the SAML assertion).