This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FtW64
Contributor
‎2025-04-01 01:52 AM
Jump to solution

Remote Access VPN and EntraID Group Authorization

Dear community,

I'm trying to get EntraID Group Authorization working for Check Point Remote Access VPN. I've been struggling for quite a while now, but still it doesn't work.

Did I do something wrong, did I forget some steps?

 

I used several sources (not all of them seem to be complete, do not explain when to apply them, and sometimes they provide conflicting information):

  • Source: "R81.20 Identity Awareness Administration Guide": the 'Admin Guide'.
  • Source: A video in the Admin Guide:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide...

This video explains how to setup browser-based Identity Awareness. It does not explain how to configure for Remote Access VPN, unfortunately.

What I did (primarily following the Admin Guide - "SAML Support for Remote Access VPN"):

  1. Requirements are okay: gateway and SMS are running R81.20 JHF 89; latest (March 2025) Android Capsule VPN app.
  2. Configure Remote Access VPN: enable the 'IPSec VPN' blade.
  3. Configure Remote Access VPN: add the gateway to the RemoteAccess VPN Community.
  4. Configure Remote Access VPN: enable Office Mode.
  5. Configure Remote Access VPN: configure SAML Portal Settings ("https://myvpn.mydomain.nl/saml-vpn"); This FQDN resolves to my public gateway IP address.
  6. Configure Remote Access VPN: enabled some clients (to test, I enabled all VPN client types).
  7. Configure Remote Access VPN: enabled Visitor Mode (already enabled by default).
  8. Configure Remote Access VPN: created a 'Match all Users' External User Profile (generic*) in SmartDashboard.
  9. I also moved the Gaia portal out of the way (Platform Portal: https://192.168.100.240:1433/). Verified and tested.
  10. I enabled the 'Identity Awareness' blade, skipped the wizard, and enabled 'Remote Access' as an Identity Source
  11. SmartConsole: Create the Identity Provider object.
  12. EntraID: Create Enterprise App : "Check Point Remote Secure Access" from the gallery.
  13. EntraID "Check Point Remote Secure Access": Single sign-on. Copy/past the 'Identifier (Entity ID)', 'Reply URL' from the SmartConsole Identity Provider object into the SAML settings. Also entered the 'Sign on URL'.
  14. EntraID "Check Point Remote Secure Access": Modified the SAML claim 'Unique User Identifier (Name ID)' to 'user.localuserprincipalname' (as explained in sk183250).
  15. EntraID "Check Point Remote Secure Access": Add the SAML claim 'group_attr' to 'user.assignedroles' (as explained in sk183250). Note that the Admin Guides says: "configure the Identity Provider to send the group names as values of the attribute "group attr"". But all other sources specify 'user.assignedroles'…
  16. EntraID "Check Point Remote Secure Access": export the 'Federation Metadata XML' and import in the SmartConsole Identity Provider object .
  17. EntraID "Check Point Remote Secure Access": add a test group (without spaces) to the Enterprise Application: 'RemoteWorkers'. Add 'myuser@mydomain.nl' to this group as a member.
  18. SmartConsole: configure 'Client VPN authentication' on the gateway object according to the Admin Guide, using the Identity Provider object. Specifically configured 'User Directories' to "Manual configuration" and "External User profiles" (as we do not use an on-premise Active Directory (LDAP)). Note that sk179788 disagrees on this point…. (did not implement sk179778 at this point). I tried sk179778 at a later time, but that did not help either...
  19. SmartConsole/GuiDBEdit: as explained in the Admin Guide:
     

    GuiDBEdit.png

  20. SmartConsole: Create an Internal User Group, matching the name of the group in EntraID exactly (case sensitive): 'EXT_ID_RemoteWorkers'. Note that the Admin Guide tells me to prepend the group name with "EXT_ID_", but the video from Peter Elmer does not mention this… I followed the Admin Guide.
  21. SmartConsole: create an Access Role, adding the Internal User Group as 'Specific users/group' under 'Users'. Create an Access Rule using this Access Role object as source.

RESULTS:

  • I can successfully setup a Remote Access (client) VPN using the Android Capsule app.
  • I can successfully login, using my EntraID credentials (myuser@mydomain.nl). So, SAML authentication works!
  • Matched or dropped traffic from my VPN is tagged with 'Source User Name = myuser@mydomain.nl' in the logs.
  • The log viewer 'Log In' event (Mobile Access), says: User Groups: "This user doesn't belong to any group". Not sure if this is to be expected…
  • On the gateway:
# pdp m a on

Users:
 myuser@mydomain.nl {2d3c782f}
   LogUsername: myuser@mydomain.nl
   Groups: All Users
   Roles: -
   Client Type: Remote Access

It seems that my test group is not 'found', and I am assigned only to the 'All Users' group. My Access Role object doesn't match, and I cannot send traffic through my access rule. I would have expected: "Groups: All Users;RemoteWorkers" and "Roles: MyAccessRole".

  • If I create an Access Role object with 'Users' set to 'Any users' (RemoteUsers_ALL), then I get this:
# pdp m a on

Users:
 myuser@mydomain.nl {2d3c782f}
   LogUsername: myuser@mydomain.nl
   Groups: All Users
   Roles: RemoteUsers_ALL
   Client Type: Remote Access

And I can send VPN traffic, if I use this Access Role object as source in an Access Rule.

  • If I add the Internal User Group to the RemoteAccess VPN Community, authentication fails as well (unable to login using Capsule).

 

Peter Elmer (video) also tells me to edit the Manifest (which seems to be identical to just add 'App Roles' to the EntraID application… So, I tried this as well. This didn't work either…

 

I'm at my wits end, thanks in advance for any suggestions,

-Frank

 

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Nüüül
Advisor
Advisor
‎2025-04-01 07:25 AM
In response to FtW64
Jump to solution

Would remove the filtering (Filter Group) for the first step.

Is the application mapped to your user group aa_cp..? As there is enabled "Groups assigned to application"

Also - nested groups are not supported, so your group would have to be mapped to the application and your user must be a direct member of the group.

we can have a short session tomorrow afternoon and have a look together, if you want to - just send me a private message

View solution in original post

(1)
6 Replies
Nüüül
Advisor
Advisor
‎2025-04-01 04:21 AM
Jump to solution

check the SAML attributes transferred.

can be done with browser plugins like saml-tracer / saml-tracker

i.e. https://addons.mozilla.org/de/firefox/addon/saml-tracer/

Start the extension, then logon to vpn again.

Then there should come up something like the first attached picture. click on the first line stating "SAML" and see on the other tab the SAML parameters.

 

I´d guess, there is something wrong with the attributes transfered.

 

 

 

 

 

Preview file
25 KB
Preview file
262 KB
0 Kudos
FtW64
Contributor
‎2025-04-01 05:51 AM
In response to Nüüül
Jump to solution

Hi Nüüül

Thanks for your suggestion. I switched from Android to Windows and used the SAML tracer. It seems indeed that the 'group_attr' attribute is missing in the last SAML conversations. At least, I'm assuming here that this attribute is used by the VPN gateway?

2025-04-01 14_45_37-Extension_ (SAML-tracer) - SAML-tracer — Mozilla Firefox.jpg

 

0 Kudos
Nüüül
Advisor
Advisor
‎2025-04-01 05:59 AM
In response to FtW64
Jump to solution

Yes, this will be used by the gateway.

 

EntraID "Check Point Remote Secure Access": Add the SAML claim 'group_attr' to 'user.assignedroles' (as explained in sk183250). Note that the Admin Guides says: "configure the Identity Provider to send the group names as values of the attribute "group attr"". But all other sources specify 'user.assignedroles'…

 

in Entra you can configure, what to send with the group attribute "group_attr". Especially when not using local ldap sources.

For an example see attachement

The group will have to be matched on Check Point side (group named EXT_ID_<groupname>, which then is member of an access role)

Preview file
188 KB
0 Kudos
FtW64
Contributor
‎2025-04-01 07:20 AM
In response to Nüüül
Jump to solution

I configured the group_attr claim/attribute as described in your screen shot.

But in the SAML attributes we still do not see 'group_attr'. We also tried refreshing the XML meta data to the Identity Provider object, but this didn't help either. For some reason EntraID refuses to send the group_attr attribute...

This is what we configured on EntraID in the Enterprise App (see image).

Also note that we configured the Unique User Identifier (Name ID) as user.localuserprincipalname (as per the documentation).

 

Preview file
258 KB
0 Kudos
Nüüül
Advisor
Advisor
‎2025-04-01 07:25 AM
In response to FtW64
Jump to solution

Would remove the filtering (Filter Group) for the first step.

Is the application mapped to your user group aa_cp..? As there is enabled "Groups assigned to application"

Also - nested groups are not supported, so your group would have to be mapped to the application and your user must be a direct member of the group.

we can have a short session tomorrow afternoon and have a look together, if you want to - just send me a private message

(1)
FtW64
Contributor
‎2025-04-01 07:56 AM
In response to Nüüül
Jump to solution

YES!!! I've got it working. I disabled the filter and now we get a group_attr with the value:

<Attribute Name="group_attr"> 
  <AttributeValue>aa_cp_vpn_test_frank</AttributeValue> 
</Attribute>

Not sure why the filter blocked the group. Also: if there are no matching groups, the attribute is not sent from the IdP (I kind of expected an empty attribute...).

I'd like to thank you VERY MUCH for your help.

I would like to urge Check Point to update their documentation and give some more explanation to just: 'add the group_attr claim/attribute' :-).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events