This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sdragon92
Contributor
‎2023-03-05 10:36 AM

Checkpoint Client VPN to use default browser instead of embedded + SSO

Hello Team,

Two questions related to Remote Access VPN :

1- Does Clientful Remote Access VPN support SSO SAML? It does support SAML Authentications, but when the user disconnects and the IdP portal session is still active, it still requires the user to reauthenticate ---> No SSO but SAML works, is this an RFE or there is something to be done for this to support SSO? , SSO works well with Mobile Access VPN as it uses the external browser.

 

2- Does Clientful Remote Access VPN support the usage of the default OS web browser? I see in the documentation only IE and IE is actually deprecated, I tried to take the SAML request copy paste to Edge for example and it did work , can we use Edge instead of IE ?  If yes, what to put in the trac.defaults in the idp browser row ?

Thanks in advance !

Dawoud.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-03-07 04:05 PM

1. Yes, it should cache the credentials by default. The fact it's not suggests a configuration was made on the AzureAD side of things to disable this. ForceAuthn needs to be set to false.

2. Currently, we only support the embedded browser (IE) for SAML authentication. This is something we plan to address in a later release.

0 Kudos
sdragon92
Contributor
‎2023-03-07 04:21 PM
In response to PhoneBoy

I am not using ForceAuthn and I am not using AzureAD as an IdP, I am using a different one, and this only happens with Checkpoint, the issue is I cannot capture the SAML packets as this is an embedded browser. So you are saying checkpoint can support SSO using SAML? Is there anything to do on Checkpoint side? I never got the SSO to work and with the very SAME configuration with other vendors the very same IdP, SSO works. Also if this was from IdP side then Mobile access VPN should have failed SSO too however difference between mobile access and remote is the browser. So I am suspecting issues with the embedded browser ability to do SSO. Please confirm, thanks.

 

- Dawoud

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-07 04:52 PM
In response to sdragon92

To debug SAML for Remote Access, refer to: https://support.checkpoint.com/results/sk/sk180543 
The only thing we can do to effect SSO "not working" is to send ForceAuthn to true as part of the initial SAML request (which I don't believe we do).
If the SSO is tied to the user's browser session in their preferred browser, then using the embedded browser obviously won't work for SSO.
In which case, there's nothing you can do until we support external browsers.
(Note the specific limitation about browsers is documented here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...)

If having this SAML SSO work is a hard requirement for you, I recommend reaching out to your local Check Point office. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top