Hi - right, 81.10.
Remote Access with VPN Client and SAML Authentication is working fine, but we would like to use Azure AD for the group mappings. We configured the Azure AD Enterprise App (which is working with SAML) and created a client secret, created a azure ad object in checkpoint, but if we try to retrieve any user/group mappings via access-roles or do a test connection, it fails with invalid credentials. All settings from the admin guide were double checked and the client-secret was copy/pasted, manually checked. Not sure how to troubleshoot, or if some configuration might be missed.

Did you also follow: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Regardless, actual screenshots of error messages might be helpful.

Hi,

Are you running EndPoint Remote Access VPN client with office mode getting authenticated with SAML? hmmm I am keen to know that setup.

Right, SAML auth and stuff is working.

Unfortunately, you need to pick the best of from differnet support documents and SKs until you get the full picture, but in the end it's working.

Only the group-mapping via AzureAD object doesn't want to work.

As screenshots were requested, here is the error - client secret was double checked and copied, so no way of typos and access rights are set as described in the documentation

The only thing I can think of is the credentials don't allow access to the necessary API calls.
@Royi_Priov what's the best way to troubleshoot this?

I have the same problem. I defined the Azure AD object.

You can still save it if you select not to fix the error. However, I got th following message:

Does this means you cannot use the Service Principle Authentication option?

An Identity Provider object can only be created it either the VPN Remote access service is defined or the Mobile Access blade is enabled. This customer is not using either of them.

Why have the Service Principle Authentication option if it is not supported ?

Hi Hendri,

Just to check with you is this issue still haven't solved yet?

Hi Muhamadarif,

I got integration with Azure AD to work properly. Having said that, I only configure it in R81.10 and beyond. I advise anyone to upgrade to R81.10 if they want it and still running version before R81.10. Using AD-identities much easier as of R81.10.

Understand.

Yeah i'm running on R81.10
Found out that the permission was wrong. did use application instead of user on api permission.

Not sure if I understand your question correctly, Identity Awareness and logging in on the remote VPN client using an Azure account are two different things. If you want to use Azure Identities in your rule base, you need to configure an Azure AD object which will provide access to the Azure AD. The Azure Identifies can than be used in an Access Role, which in turn can be used in Access Rules again. Obviously Identity Awareness needs to be configured as well.

I think you understand very well my question, at least, you repond very weel. As I figure out, you need to install two of everything (two diffrents needs/product). I was just wondering if it was possible to merge the two. As I read, I saw NO, but I want help to confirm. Thnaks a lot

Yes, you’ll need to create the Identity Provider twice to support both IdA and Remote Access.
In R82 with Infinity Identity, this should not be necessary.