This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sören
Employee
Employee
‎2023-06-12 03:27 AM

Keycloak SAML Authentication for SmartConsole

This is not an official guide. This is just a tutorial from my lab.

It describes how Keycloak works as an Identity Provider for SmartConsole login using SAML. Btw: Mobile Access Login / VPN Login works the same way.

Starting with R81.20 Jumbo Take 89, you will need to modify the metadata file (step 6) as follows.

Keycloak - Identity Provider Login for a User

 

1. Version

Keycloak: 21.1.1
Check Point SmartCenter: R81.20 

2. Select Realm in Keycloak

keycloak_1.png

3. Create User
Create a User and assign a password (under credentials). Or use LDAP as a Source, etc.

keycloak_2.png

3.1 Set password

keycloak_2.0.png

4. Client Scopes

The SmartConsole application integration in your Identity Provider must have attribute mappings for "username" and “groups”. In Keycloak this is done via “Client scopes

 Select “Client Scopes” and click “Create client scope”.

keycloak_3.0.png

4.1 Create client scope “SmartConsole”

Name: SmartConsole
Protocol: SAML

keycloak_3.png

5. Select the client scope “SmartConsole”

keycloak_3.1.png

5.1 Click “Add mapper - by configuration” for username

keycloak_4.png

5.2 Select “User Attribute”

keycloak_5.png

5.3 Enter “username” in the highlighted fields

keycloak_5.1.png

5.4 Click “Add mapper - by configuration ” for groups

keycloak_4.png

5.5 Select Group List

keycloak_5.2.png

5.6 Enter “groups” in the highlighted fields

keycloak_5.4.png

5.7 Client scope - Overview

keycloak_5.5.png

6. Realm settings

Go to Realm settings and click on “SAML 2.0 Identity Provider Metadata” and save the XML File. This file is used in step 7.

keycloak_6.png

Starting from R81.20 Jumbo Take 89:

Open the metadata file (descriptor.xml) and modify the value "WantAuthnRequestsSigned" from "true" to "false".

 

7. Create Identity Provider Object

Create an Identity Provider Object in SmartConsole. Click “Import From File” and select the XML File from step 6. Publish the changes.

Copy the Identifier (Entity ID) and Reply URL in a text file.

cp_keycloak_1.png

8. Clients

Click on Clients and select “Create Client

keycloak_7.png

8.1 SAML Client

Under “Client ID” enter the information from “Identifier (Entity ID)” (SmartConsole), from step 7.

keycloak_8.png

8.2 Login settings

Root URL and Home URL = IP Address from the SmartCenter

Under Valid redirect URIs enter the “Reply URL” from the Identity Provider Object (SmartConsole), see step 7.

keycloak_8.1.png

8.3 Disable Client Signature

I don't know, if this can be configured at all with Check Point, so it must be disabled for it to work. Does anyone know if this can be enabled?

keycloak_8.2.png

8.4 Client scopes

Check, if the client scope “SmartConsole” is assigned to the Client.

keycloak_8.3.png

9. Select Identity Provider in SmartConsole

keycloak_9.png

9.1 Create SmartConsole Admin

Create User, same Username as in Keycloak. Publish all changes.

keycloak_9.1.png

9.2 Login SmartConsole

keycloak_9.2.png

9.3 Redirect to Browser

Login using username “test".

keycloak_9.3.png

9.4 Login successful

After successful login, SmartConsole opens.

keycloak_9.4.png

9.5 Logfile

keycloak_9.5.png

Keycloak - Identity Provider for a Group

Login is also possible, using the Identity Provider for an Administrator Group. The Group Name must be the same on Check Point and on Keycloak. In this example, testuser3 is member of the group “SmartCenter-GUI” only. 

10. Create "New Identity Provider Administrator Group

Group ID / Name: SmartCenter-GUI

keycloak_10.0.png

10.1 Overview

Object “SSO_Group” was created and all members in this group, are able to login to the SmartCenter.

keycloak_10.1.png

10.2 Keycloak User Group

Create User Group “SmartCenter-GUI” in Keycloak and add a user to this group, in this example, “testuser3

keycloak_10.png

10.3 Login using testuser3

keycloak_10.2.png

 

 

(1)
1 Reply
PhoneBoy
Admin
Admin
‎2023-06-12 02:12 PM

Appreciate you sharing this!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events