Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
biskit
Advisor
Jump to solution

Azure SAML Auth - forceAuthn=true

A drawback to SAML auth is that when connecting to VPN it just logs you straight in - no further auth needed (assuming your machine/browser is already logged into your MS365 account).

For some this is fine.  For others it isn't, and they still want to be prompted for some credentials when logging into VPN.

There's a nice little hack to the  /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php  file, to set 

forceAuthn=true

 

This forces you to do a full login every time.  I.e. manually typing your username, password, then responding to MFA.  At the end of the sign-in you get the box to save details so you don't have to enter them every time.  But that effectively does nothing.  Next time you log in, you still have to do the entire authentication bit again.

But that's what I just set in the file above, so what's the problem?

Does anybody know of a way to achieve a halfway house on this?  For example, rather than manually having to type my email & password every time, is there an option available to JUST prompt for the MFA on each login?

I've got several customers using this.  They're not happy without "forceAuthn=true" because they get no prompts at all.  But they're also not happy with having to manually type the email & password every time either.  They just want the MFA bit.  Is there a way??

I thought the problem of having to manually enter full credentials every time was linked to the SAML pop-up window not using the machine browser's cached info.  I was hoping that E87.30 (using the machine default browser) would fix this and remember who is logged in, therefore only prompting for MFA, but it doesn't 😞

Does anyone know any tricks to make VPN login prompt every time for MFA, without requiring the full username/password too?

 

 

1 Solution

Accepted Solutions
SenpaiNoticed_U
Employee
Employee

https://support.checkpoint.com/results/sk/sk180948

Checkpoint released an SK article about this parameter.
This file can be found on any Main line gateway.

SMB devices do not support SAML at this time.

 

View solution in original post

(3)
18 Replies
the_rock
Legend
Legend

If its something like below:

ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.10 - Clientless SSL VPN Users [Cisco A...

 

Screenshot_1.png

...then answer is no, CP does not have this ability and Sales told me last year that this would be RFE. So, to expand on it, without boring you with the whole story, here is the jist of it. Customer wanted their users to be forced to re-authenticate, even if they put their laptops to sleep and came back 45 seconds later and CP VPN solution cant do that currently.

0 Kudos
biskit
Advisor

Well...  the forceAuthn=true line in the config file absolutely does this.  Tested over and over again.  100%.  Log out, then immediately log back in and you're prompted again for creds.  So that bit is fine and works well.

With forceAuthn=false (or just without the line in the config file at all - the default unless you've specifically updated the file) then is does the normal SSO and logs you straight it without any further prompting for creds or authentication.

So we have both extremes here.

What my customers want is something in the middle.  They don't want to have to enter the full creds every time, BUT they do want to be prompted for the MFA bit (e.g. Microsoft Authenticator pop-up on their phone).  It seems this half-way option is not currently possible?  Unless anyone knows how it can be done?  Maybe it's an Azure setting rather than a firewall thing, but if it is, I don't currently know it, and would love to be enlightened 😁😁

 

0 Kudos
the_rock
Legend
Legend

A kk, thats good to know, because nothing of sort worked for that a year ago, thats great info @biskit . I dont believe what your customer wants might be possible, unless there is some syntax for it on Azure side? Not sure...

Andy

0 Kudos
PhoneBoy
Admin
Admin

The way SAML works is that we initiate the connection to the IdP, which authenticates the user and sends us a SAML assertion about the relevant user.
The authentication flow happens entirely in the IdP.
The only way we can influence this is by sending forceAuthn=true to tell the remote end not to reuse the existing session, thus going through the full authentication flow.

If you want a different authentication flow, this needs to be configured on the IdP itself.
Whether the IdP supports your desired authentication flow is a separate question.

0 Kudos
nikolaos
Explorer

I cannot find forceAuthn=true anywhere in /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php

First and foremost is this setup on SMS or on GWs  ?

0 Kudos
PhoneBoy
Admin
Admin

This is set up on the gateway (where the authentication takes place).
While it is possible to make this configuration change, it is UNSUPPORTED and currently documented in an internal SK.
Please consult with the TAC: https://help.checkpoint.com 

The correct (and proper, supported) place to configure this is on the IdP itself.

0 Kudos
peterbeshay
Explorer

you need to add it manually

// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => null,
'ForceAuthn' => true,
// The entity ID of the IdP this SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => $identity_provider_server->id,

0 Kudos
SenpaiNoticed_U
Employee
Employee

https://support.checkpoint.com/results/sk/sk180948

Checkpoint released an SK article about this parameter.
This file can be found on any Main line gateway.

SMB devices do not support SAML at this time.

 

(3)
PhoneBoy
Admin
Admin

Thanks for finally getting this in SK 🙂

AkiYa
Contributor

Hi @biskit , where did you put that string?

I' ve checked the file but I don't know where it should be set.

Thanks

0 Kudos
biskit
Advisor

Open /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php in Notepad++

Insert new line at line 35

 

'ForceAuthn' => true,

 

 

Your file should then look like this:

1.jpg

 

 

 

 

 

CP told me it needed a cpstop/cpstart, but I've found it just works on the fly.

Just to reiterate what Phoneboy said - this was given to me by TAC to "try" and is not a supported solution.  Backup your file before you start playing 😎

This is a global setting and will force all users to enter their AAD password every time (and then AAD MFA if it's configured).  My users get very sick of this very quickly as their AAD passwords are half a mile long.  The issue of only prompting for MFA each time (and not the whole password too) is a failing of Azure IDP, not Check Point.  If any Azure wizards find a way around this, pleeeease let me know!

PhoneBoy
Admin
Admin

Again, the proper, correct place to configure re-authentication requirements in the IdP.
Consult with your IdP vendor for the exact steps required to do this. 
The forceAuthn=true is a "workaround" that doesn't work with all IdPs and, as you described, has other side effects.

0 Kudos
SenpaiNoticed_U
Employee
Employee

The issue is with how SAML works with a SP and a IDP.
if you configured the SP to send the Force auth. This tells the IDP to redo auth each time, thus eliminating SAML as a single sign on feature, into a normal Auth method.

This ForceAuthn parameter is a custom SAML parameter that can be used by (SP) service providers to present to (IDP) Identity Providers.
I have found that some IDP's allow it, and some that ignore it, as ForceAuthn is a optional parameter.

But Checkpoint does not handle the 2nd factor in this scenario.
The IDP vender is doing an additional Factor on their end.
Thus this would fall under their action and not checkpoint.

If the IDP vender could allow the SSO for SAML, but force the MFA aspect, then that would be what you are looking for.

I would see about if the Vender of the IDP has anything they can enable for there side.

0 Kudos
phate_82
Participant

Just a wee follow up on this - I have managed to get the client to request password and MFA through Azure IDP.  I know this is not just MFA as needed yet just password & MFA works pretty well.  Using "Conditional Access" within the enterprise application with a few tweaks helped me get there.  If the client is running it lets the user reconnect, yet if you shutdown the client or reboot your laptop it will for a reauth.

 

If this is of any use to anyone I can fully document my work and share here 🙂 Might be a specific use case but thats certianly what we were looking for. 

0 Kudos
PhoneBoy
Admin
Admin

If you could share what you did, I think it would be extremely helpful.

0 Kudos
Greifenstein
Participant

Hi @phate_82 ,

it would be great to share your work here, because I think, thats just what my customer wants, what you have implemented.

I cannot use

 

forceAuthn=true

 

because the customer runs on a VSX and that would compromise all other users.

I couldn't find the file /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php in any subdirectory of any CMA to make it work only for this customer.

Thanks in advance
Christian

 

 

0 Kudos
PhoneBoy
Admin
Admin

This is a gateway side edit, which is probably why this is the case.
Seeing this per VS would likely be an RFE.

0 Kudos
kwestwhr
Explorer

Add me to the list - please share what you've done - I've been trying different Conditional Access settings with no success as of yet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events