This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
C_H
Participant
Participant
‎2025-10-22 09:12 AM

Remote Access Authentication with Certificate and Group Membership Retrieval

Hello Everyone,

 

Customer challenged me with the following problem:

If Personal Certificate is used as Authentication Method for Remote Access and my User Identity Store is Entra how do I get the Group Membership Retrieval for "Offer Office Mode to group" option?

Does it always have to be an LDAP query from the Gateway to an On Prem Device for group membership when Personal Certificate is used as a login option?

If yes, is there something which forwards this LDAP query from On Prem to Entra?

 

Does anybody have a hint for me?

 

Best Regards

Colin

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2025-10-22 05:52 PM

The necessary groups are sent as part of the SAML Assertion, which is configured on the Entra ID side.
There is also configuration needed on the Check Point side (the creation of EXT_ID_ objects).
See: https://support.checkpoint.com/results/sk/sk177267 

0 Kudos
C_H
Participant
Participant
‎2025-10-22 11:30 PM
In response to PhoneBoy

Hi PhoneBoy,

Yes, I know this. But with Personal Certificate there is no SAML Mechanism triggered, since the certificate is presented by the client to the checkpoint and is then checked (is it valid? does the Check Point GW trust the Issuer? etc.). So there is no SAML ongoing in this case.

From my point of view it is not possible to do the Certificate Authentcation with SAML, so you have to relay on Personal Certificate as Login Option.


Best Regards

Colin

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-23 06:08 PM
In response to C_H

You're correct.
This is mentioned in the documentation under Known Limitations:

SAML authentication cannot be configured with more authentication factors in the same login option. The Machine Certificate Authentication option is supported. To use Multiple Factor Authentication, configure the external Identity Provider to have multiple verification steps. The complexity and number of verification activities depends on the configuration of the Identity Provider.

0 Kudos
C_H
Participant
Participant
‎2025-10-23 11:57 PM
In response to PhoneBoy

Hi PhoneBoy,

 

Thank you for your reply.

Can I ask why this is marked as solution for my questions?

From your answer the only thing confirmed is that SAML can't be used with other login options.

My initial problem (how to get group membership from entra if personal certificate as login option is used) was not solved by that.

 

Best Regards

Colin

0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-24 02:00 PM
In response to C_H

Is this certificate used to authenticate with Entra ID directly?
If so, we do not get involved in this.

The SAML assertion, received as a result of successful authentication with Entra ID, tells us you are authenticated and what groups you are actually authorized for.
The groups we recognize from SAML must be explicitly configured, as described in the SK/docs linked previously.
The groups passed to us are a function of configuration in Entra ID, with some information provided in the SK/docs linked previously.

0 Kudos
C_H
Participant
Participant
‎2025-10-27 05:21 AM
In response to PhoneBoy

No, Entra is not in use, and I think that's where the misunderstanding comes from.

Authentication method is Personal Certificate, where user certificates are stored on the endpoints, the vpn clients present those certificates to the gateway and the gateway checks if the user certificates are valid and if the gateway trusts the CA (correct me please if anything is wrong in my understanding).

So everything is pretty much on prem handled. If the validation of the client certificate is successful one of the next steps is to check the group membership (if the corresponding settings are set in the RemoteAccess VPN Community or in the GW/Cluster Object --> Office Mode).

Now this is where the challenge starts: With on prem AD no problem, a LDAP Request is sent and the GW retrieves the Group membership for the user who is connecting. Now in my case, there is no on prem AD and the group membership info is in Entra ID. 

 

How do I get this group membership info to the checkpoint in this case?

 

Best Regards

Colin

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-27 11:53 AM
In response to C_H

If you're using an on-premise method of authentication (personal certificates, in this case), you must use an on-premise method to gather the groups.
This is usually done via LDAP, but can also be done over RADIUS (assuming it's an authentication factor).
Not sure Entra provides these connectors at all.

Otherwise, your only option to use SAML for authentication (where the groups are communicated via the SAML assertion).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events