Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sdragon92
Contributor

Checkpoint Client VPN to use default browser instead of embedded + SSO

Hello Team,

Two questions related to Remote Access VPN :

1- Does Clientful Remote Access VPN support SSO SAML? It does support SAML Authentications, but when the user disconnects and the IdP portal session is still active, it still requires the user to reauthenticate ---> No SSO but SAML works, is this an RFE or there is something to be done for this to support SSO? , SSO works well with Mobile Access VPN as it uses the external browser.

 

2- Does Clientful Remote Access VPN support the usage of the default OS web browser? I see in the documentation only IE and IE is actually deprecated, I tried to take the SAML request copy paste to Edge for example and it did work , can we use Edge instead of IE ?  If yes, what to put in the trac.defaults in the idp browser row ?

Thanks in advance !

Dawoud.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

1. Yes, it should cache the credentials by default. The fact it's not suggests a configuration was made on the AzureAD side of things to disable this. ForceAuthn needs to be set to false.

2. Currently, we only support the embedded browser (IE) for SAML authentication. This is something we plan to address in a later release.

0 Kudos
sdragon92
Contributor

I am not using ForceAuthn and I am not using AzureAD as an IdP, I am using a different one, and this only happens with Checkpoint, the issue is I cannot capture the SAML packets as this is an embedded browser. So you are saying checkpoint can support SSO using SAML? Is there anything to do on Checkpoint side? I never got the SSO to work and with the very SAME configuration with other vendors the very same IdP, SSO works. Also if this was from IdP side then Mobile access VPN should have failed SSO too however difference between mobile access and remote is the browser. So I am suspecting issues with the embedded browser ability to do SSO. Please confirm, thanks.

 

- Dawoud

0 Kudos
PhoneBoy
Admin
Admin

To debug SAML for Remote Access, refer to: https://support.checkpoint.com/results/sk/sk180543 
The only thing we can do to effect SSO "not working" is to send ForceAuthn to true as part of the initial SAML request (which I don't believe we do).
If the SSO is tied to the user's browser session in their preferred browser, then using the embedded browser obviously won't work for SSO.
In which case, there's nothing you can do until we support external browsers.
(Note the specific limitation about browsers is documented here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...)

If having this SAML SSO work is a hard requirement for you, I recommend reaching out to your local Check Point office. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events