This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
Advisor
Advisor
‎2024-11-05 04:59 AM
Jump to solution

saml redirect from portal page broke after upgrading from JHF84 to JHF89

Hi All,

After upgrading from R81.20 JHF84 to JHF89 (in my lab) my redirect to my on prem IDP server broke.   Although I can connect to it ok from the command line.  If I revert back to JHF84 it works again.    I'm not sure how to troubleshoot this, any ideas are welcome.  We were actually planning on rolling it out this weekend.   There were some changes in JHF89 for SAML.  It looks like it tries to get to the idp server, fails and then fails to connect back to the portal.   It happens so fast, it's like it isn't even trying.  IOW, I'm not even getting to the inhouse IDP login page.

😞

This page isn’t working

portal.some.domain.com is currently unable to handle this request.

HTTP ERROR 500
 

 

NEW: This upgrade introduces three important SAML Authentication enhancements:

  • Request Signing: Verifies authenticity of SAML requests.
  • Assertion Decryption: Protects confidentiality of user attributes.
  • Forced Re-authentication: Enables mandatory login for each session.

Administrators gain more control over security policies, while the system becomes more adaptable to various high-security environments and Identity Provider requirements.

The Security Gateway may fail to resolve external Network Feeds whose URL contains a port number (such as "https://example.com:8080/feed.csv". Refer to sk182684.  

 
 
0 Kudos
1 Solution

Accepted Solutions
Sören
Employee
Employee
‎2024-11-12 12:55 AM
Jump to solution

@Daniel_Kavan Please check, if your metadata file from the IdP contains the option: "WantAuthnRequestsSigned="true". If yes, please change it to false and upload the metafile again. 

SmartConsole:

IdP.jpg

View solution in original post

10 Replies
PhoneBoy
Admin
Admin
‎2024-11-05 07:08 AM
Jump to solution

Wondering if one of these security enhancements is possibly causing issues with your IdP configuration.
There doesn't seem to be much in the way of troubleshooting information about SAML, though one suggestion in sk180543 is to install a SAML Tracer extension in your browser.
This will hopefully give you an idea of what's actually happening.

0 Kudos
Daniel_Kavan
Advisor
Advisor
‎2024-11-05 07:59 AM
In response to PhoneBoy
Jump to solution

Thanks!  It seems like it has nothing to do with SAML since I can't even get to the website, but I will try it.  Looking at the httpd.log.0

PHP errors
[Tue Nov 05 11:18:16.713353 2024] [php7:notice] [pid 30702] [client ip:56661] [CAPTCHA] Captcha is not required
[Tue Nov 05 11:18:16.837429 2024] [php7:notice] [pid 14574] [client ip:56662] [absolute_portal_host] Receiving a NULL 'mab_portal_fqdn', referer: https://ip/Login/Login
[Tue Nov 05 11:18:17.100925 2024] [php7:notice] [pid 19567] [clientip:56666] [absolute_portal_host] Receiving a NULL 'mab_portal_fqdn', referer: IP/Login/Login
[Tue Nov 05 11:18:17.112959 2024] [php7:notice] [pid 19567] [client IP:56666] simplesamlphp ERR [TRb8098fb5] Configuration identity_provider definition., referer: https://IP/Login/Login
[Tue Nov 05 11:18:17.112991 2024] [php7:notice] [pid 19567] [client IP:56666] simplesamlphp ERR [TRb8098fb5] Configuration identity_provider definition., referer: https://IP/Login/Login
[Tue Nov 05 11:18:17.113005 2024] [php7:notice] [pid 19567] [client IP:56666] simplesamlphp ERR [TRb8098fb5] Configuration identity_provider definition., referer: https://IPurl/Login/Login

 

0 Kudos
Daniel_Kavan
Advisor
Advisor
‎2024-11-05 01:15 PM
In response to Daniel_Kavan
Jump to solution

when it works (JHF84) the saml tracer shows a 302.  A 302 status code is an HTTP response code that indicates a requested resource has been temporarily moved to a new location:, then it goes beyond the 302 to a 200, and it all works. When it doesn't work (JHF89) I'm getting a 500 internal server error, then that's it, nothing comes up.   Is the internal error on checkpoint I assume not the in house IDP server.  I can repeat the process over and over to JHF84 and back if anyone from R&D want to look at it.

 

Can R81.20 JHF89 manage an R82 gateway?    Maybe, I'll try R82.  But it doesn't look like it. https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RN/Content/Topics-RN/Support...

0 Kudos
the_rock
Legend
Legend
‎2024-11-05 03:17 PM
In response to Daniel_Kavan
Jump to solution

Definitely cant manage R82 gateway. You can try, but then you need R82 gw as well.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-05 07:20 PM
In response to Daniel_Kavan
Jump to solution

That's only possible across minor versions with a specific JHF level.
R82 is considered a major version.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-11-05 11:08 PM
In response to PhoneBoy
Jump to solution

Can we expect in near future JHF for R81.10 and R81.20 that will support managing R82 gateways ?

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-06 06:59 AM
In response to JozkoMrkvicka
Jump to solution

No, I would not expect this as R81.x and R82 are different major releases.

0 Kudos
Sören
Employee
Employee
‎2024-11-12 12:55 AM
Jump to solution

@Daniel_Kavan Please check, if your metadata file from the IdP contains the option: "WantAuthnRequestsSigned="true". If yes, please change it to false and upload the metafile again. 

SmartConsole:

IdP.jpg

Daniel_Kavan
Advisor
Advisor
‎2024-11-12 12:09 PM
In response to Sören
Jump to solution

Thanks Soren, that did it.  I also updated to JHF90.

the_rock
Legend
Legend
‎2024-11-12 12:24 PM
In response to Sören
Jump to solution

Great tip, thanks @Sören 

Andy

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top