This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nzmatto1
Contributor
‎2022-10-19 04:47 PM

Forcing VPN with SAML (Google SSO) to re-authenticate

Here's another wired request from the crazy kiwi. 
I have configured the Remote Access VPN to use Google SSO through a SMAL app. This seems to be working fine, however for further testing I wish to force my client to log out, including from the SSO session to force the 2FA again.

The process is I log on from the client for the first time on a device and I am prompted for a username and password, then for the Google MFA. This is fine, it's accepted and the VPN establishes. once I am finished with the VPN I can disconnect. 

The next time I reconnect it doesn't prompt for anything, which from a user point of view is perfect. No username / password / 2fa just straight in. The secure way is the easy way. 

However for testing I wish to force my account to log out fully, requiring the username / password / 2fa again, and I can't work out how to achieve this from the client. I have even gone as far as deleting and reinstalling the client, however even then it only asks for a username and password as somewhere in the background Google magic knows I've recently done the 2fa so it just works. 

From the client / desktop side I he logged out from my google account and revoked all trusted devices but to no avail. 

Is there some way from the client side I can force my account to require the 2fa like it was a new connection every time? 

I'm wondering if this might be stored in the registry, or in a cookie or something like that. 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-10-21 05:34 PM

To achieve the desired behavior, you have to have ForceAuthn set to true as part of the SAML request.
This is not done by default currently, but a fix for this can be obtained from the TAC by referencing TM-34402.

0 Kudos
Agent_Smith
Contributor
‎2023-04-07 12:08 PM
In response to PhoneBoy

We're using MS saml. I want to disable all network access unless VPNd, how can I do that?

0 Kudos
Icaro_IT
Explorer
‎2024-08-08 06:16 AM

Hello nzmatto 1
Can u share how you configure SAML with Google? I'm try, but not work working.
Are u make SAML Attribute Mapping on Google? If yes, how your configurated?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events