Running R80.40 JHF Take 48 with the MobileAccess UI EA hotfix applied.
I'm trying to set up SAML 2.0 authentication (IdentityProvider object) to use Okta for authentication to the Mobile Access Blade (SSL VPN).
The SAML authentication works (IdP initiated is a little odd because I have it set to use Endpoint Compliance, so you end up having to hit the SAML auth button after the compliance scan even through it was IdP initiated).
But the authenticated user is NOT matching any of the Access Roles. These are Access Roles set up using the only LDAP AU defined on the system. I know that the LDAP AU works because if I use RADIUS authentication to an Okta RADIUS agent, the same user matches the Access Roles and the appropriate web apps show up in the portal and SNX allows the correct access. The logs for both situations are identical on the Check Point side (both show the user DN correctly).
What I'm trying to determine is if anyone has this sort of setup working or not? I opened a TAC/Diamond case earlier last week stating that it wasn't working, but haven't really gotten a response yet and I want to know if anyone has actually gotten it to work correctly or not.
Note that this is strictly for remote access. I don't care about using it for user-based rules for outbound access (at this time).