This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christian_Koehl
Collaborator
Collaborator
3 weeks ago

ADFS remotes access VPN with SAML

Dear Checkmates,

I have running an Management with R81.20 + JHF-89 and a firewall modul also with R81.20 + JHF-84.

For remote access VPN SAML authentication shoud be used. I followed: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...


The user get an popup from the browser is asking for username and password and then presenting the PIN, which needs to be entered in the MS Authenticatior.
Unfortunately, then the login fails.

ADFS_MFA_fails.jpg

 

 

Any idea's?

Best regards,
Christian

0 Kudos
3 Replies
Nüüül
Advisor
2 weeks ago

Hi

Can you tell a bit more on your configuration?

how did you configure the group authorization part? SAML Attribute? LDAP Account Unit?

0 Kudos
Christian_Koehl
Collaborator
Collaborator
2 weeks ago
In response to Nüüül

Hi,
sorry for not answeing earlier.
The main problem was, the response from the ADFS proxy was a http "redirect". Now, it is a "post". We are in principle able now, to authentificate successfully.

One left topic it, it seems as the ADFS group "abc123" and the local usergroup "EXT_ID_abc123" didn't match.
We use the "EXT_IT_abc123" group in the RemoteAccess Community object, but this group didn't match here, only an older ldap-group matches.

 

BR,

Christian

 

0 Kudos
Nüüül
Advisor
2 weeks ago
In response to Christian_Koehl

Hi Christian,

 

i assume group names EXT_ID vs. EXT_IT is a typo, right? you might have a look at the user directories config now. like 

 

Greenshot_ 2025-02-08 07.51.21.png

Otherwise the gateways will try to fetch AD groups for a user.

if this doesn´t work, we can have a look at it on monday - send me a private message

 

cheers

 

daniel 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events