Solved: Re: Azure SAML Auth - forceAuthn=true

biskit · ‎2023-05-19

A drawback to SAML auth is that when connecting to VPN it just logs you straight in - no further auth needed (assuming your machine/browser is already logged into your MS365 account).

For some this is fine. For others it isn't, and they still want to be prompted for some credentials when logging into VPN.

There's a nice little hack to the /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php file, to set

forceAuthn=true

This forces you to do a full login every time. I.e. manually typing your username, password, then responding to MFA. At the end of the sign-in you get the box to save details so you don't have to enter them every time. But that effectively does nothing. Next time you log in, you still have to do the entire authentication bit again.

But that's what I just set in the file above, so what's the problem?

Does anybody know of a way to achieve a halfway house on this? For example, rather than manually having to type my email & password every time, is there an option available to JUST prompt for the MFA on each login?

I've got several customers using this. They're not happy without "forceAuthn=true" because they get no prompts at all. But they're also not happy with having to manually type the email & password every time either. They just want the MFA bit. Is there a way??

I thought the problem of having to manually enter full credentials every time was linked to the SAML pop-up window not using the machine browser's cached info. I was hoping that E87.30 (using the machine default browser) would fix this and remember who is logged in, therefore only prompting for MFA, but it doesn't 😞

Does anyone know any tricks to make VPN login prompt every time for MFA, without requiring the full username/password too?

SenpaiNoticed_U · ‎2023-08-18

https://support.checkpoint.com/results/sk/sk180948

Checkpoint released an SK article about this parameter.
This file can be found on any Main line gateway.

SMB devices do not support SAML at this time.

View solution in original post

the_rock · ‎2023-05-19

If its something like below:

ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.10 - Clientless SSL VPN Users [Cisco A...

...then answer is no, CP does not have this ability and Sales told me last year that this would be RFE. So, to expand on it, without boring you with the whole story, here is the jist of it. Customer wanted their users to be forced to re-authenticate, even if they put their laptops to sleep and came back 45 seconds later and CP VPN solution cant do that currently.

biskit · ‎2023-05-19

Well... the forceAuthn=true line in the config file absolutely does this. Tested over and over again. 100%. Log out, then immediately log back in and you're prompted again for creds. So that bit is fine and works well.

With forceAuthn=false (or just without the line in the config file at all - the default unless you've specifically updated the file) then is does the normal SSO and logs you straight it without any further prompting for creds or authentication.

So we have both extremes here.

What my customers want is something in the middle. They don't want to have to enter the full creds every time, BUT they do want to be prompted for the MFA bit (e.g. Microsoft Authenticator pop-up on their phone). It seems this half-way option is not currently possible? Unless anyone knows how it can be done? Maybe it's an Azure setting rather than a firewall thing, but if it is, I don't currently know it, and would love to be enlightened 😁😁

the_rock · ‎2023-05-19

A kk, thats good to know, because nothing of sort worked for that a year ago, thats great info @biskit . I dont believe what your customer wants might be possible, unless there is some syntax for it on Azure side? Not sure...

Andy

PhoneBoy · ‎2023-05-19

The way SAML works is that we initiate the connection to the IdP, which authenticates the user and sends us a SAML assertion about the relevant user.
The authentication flow happens entirely in the IdP.
The only way we can influence this is by sending forceAuthn=true to tell the remote end not to reuse the existing session, thus going through the full authentication flow.

If you want a different authentication flow, this needs to be configured on the IdP itself.
Whether the IdP supports your desired authentication flow is a separate question.

nikolaos · ‎2023-07-06

I cannot find forceAuthn=true anywhere in /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php

First and foremost is this setup on SMS or on GWs ?

PhoneBoy · ‎2023-07-06

This is set up on the gateway (where the authentication takes place).
While it is possible to make this configuration change, it is UNSUPPORTED and currently documented in an internal SK.
Please consult with the TAC: https://help.checkpoint.com

The correct (and proper, supported) place to configure this is on the IdP itself.

peterbeshay · ‎2023-08-18

you need to add it manually

// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => null,
'ForceAuthn' => true,
// The entity ID of the IdP this SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => $identity_provider_server->id,

SenpaiNoticed_U · ‎2023-08-18

https://support.checkpoint.com/results/sk/sk180948

Checkpoint released an SK article about this parameter.
This file can be found on any Main line gateway.

SMB devices do not support SAML at this time.

PhoneBoy · ‎2023-08-29

Thanks for finally getting this in SK 🙂

AkiYa · ‎2023-07-08

Hi @biskit , where did you put that string?

I' ve checked the file but I don't know where it should be set.

Thanks

biskit · ‎2023-07-08

Open /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php in Notepad++

Insert new line at line 35

'ForceAuthn' => true,

Your file should then look like this:

CP told me it needed a cpstop/cpstart, but I've found it just works on the fly.

Just to reiterate what Phoneboy said - this was given to me by TAC to "try" and is not a supported solution. Backup your file before you start playing 😎

This is a global setting and will force all users to enter their AAD password every time (and then AAD MFA if it's configured). My users get very sick of this very quickly as their AAD passwords are half a mile long. The issue of only prompting for MFA each time (and not the whole password too) is a failing of Azure IDP, not Check Point. If any Azure wizards find a way around this, pleeeease let me know!

PhoneBoy · ‎2023-07-09

Again, the proper, correct place to configure re-authentication requirements in the IdP.
Consult with your IdP vendor for the exact steps required to do this.
The forceAuthn=true is a "workaround" that doesn't work with all IdPs and, as you described, has other side effects.

SenpaiNoticed_U · ‎2023-07-18

The issue is with how SAML works with a SP and a IDP.
if you configured the SP to send the Force auth. This tells the IDP to redo auth each time, thus eliminating SAML as a single sign on feature, into a normal Auth method.

This ForceAuthn parameter is a custom SAML parameter that can be used by (SP) service providers to present to (IDP) Identity Providers.
I have found that some IDP's allow it, and some that ignore it, as ForceAuthn is a optional parameter.

But Checkpoint does not handle the 2nd factor in this scenario.
The IDP vender is doing an additional Factor on their end.
Thus this would fall under their action and not checkpoint.

If the IDP vender could allow the SSO for SAML, but force the MFA aspect, then that would be what you are looking for.

I would see about if the Vender of the IDP has anything they can enable for there side.

phate_82 · ‎2024-06-24

Just a wee follow up on this - I have managed to get the client to request password and MFA through Azure IDP. I know this is not just MFA as needed yet just password & MFA works pretty well. Using "Conditional Access" within the enterprise application with a few tweaks helped me get there. If the client is running it lets the user reconnect, yet if you shutdown the client or reboot your laptop it will for a reauth.

If this is of any use to anyone I can fully document my work and share here 🙂 Might be a specific use case but thats certianly what we were looking for.

PhoneBoy · ‎2024-06-24

If you could share what you did, I think it would be extremely helpful.

Greifenstein · ‎2024-07-11

Hi @phate_82 ,

it would be great to share your work here, because I think, thats just what my customer wants, what you have implemented.

I cannot use

forceAuthn=true

because the customer runs on a VSX and that would compromise all other users.

I couldn't find the file /opt/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php in any subdirectory of any CMA to make it work only for this customer.

Thanks in advance
Christian

PhoneBoy · ‎2024-07-11

This is a gateway side edit, which is probably why this is the case.
Seeing this per VS would likely be an RFE.

kwestwhr · ‎2024-10-04

Add me to the list - please share what you've done - I've been trying different Conditional Access settings with no success as of yet.

Are you a member of CheckMates?

Azure SAML Auth - forceAuthn=true