Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Heath_H
Contributor

Identity Provider (SAML) and Access Roles for Mobile Access Blade

Running R80.40 JHF Take 48 with the MobileAccess UI EA hotfix applied.

I'm trying to set up SAML 2.0 authentication (IdentityProvider object) to use Okta for authentication to the Mobile Access Blade (SSL VPN).

The SAML authentication works (IdP initiated is a little odd because I have it set to use Endpoint Compliance, so you end up having to hit the SAML auth button after the compliance scan even through it was IdP initiated).

But the authenticated user is NOT matching any of the Access Roles.  These are Access Roles set up using the only LDAP AU defined on the system.  I know that the LDAP AU works because if I use RADIUS authentication to an Okta RADIUS agent, the same user matches the Access Roles and the appropriate web apps show up in the portal and SNX allows the correct access.  The logs for both situations are identical on the Check Point side (both show the user DN correctly).

What I'm trying to determine is if anyone has this sort of setup working or not?  I opened a TAC/Diamond case earlier last week stating that it wasn't working, but haven't really gotten a response yet and I want to know if anyone has actually gotten it to work correctly or not.

Note that this is strictly for remote access.  I don't care about using it for user-based rules for outbound access (at this time).

0 Kudos
3 Replies
Tim_Tielens
Contributor

Did you get any replies ?
I'm trying the same thing but with Azure MFA and conditional access.

We still use Legacy MAB policy
According to the logs, my SAML user is matching all the correct LDAP roles.
I'm matching the correct access roles in legacy MAB portal, but ssl/vpn (SNX) is not working.
It just tries to connect and then stops.

User DN is the same on another VS running Mobile Access...

0 Kudos
Heath_H
Contributor

I'm not using Azure as my SSO provider, I'm using Okta and LDAP groups so it's a simpler setup, I think.

 

That said, it's not in production yet, I verified it in a lab and have production configured, but haven't put it into use yet.

0 Kudos
Tim_Tielens
Contributor

I also have a lab running, but not on the ongoing JHF42 for R81.
Think my setup is more or less the same, except I use Azure AD and local LDAP groups.

0 Kudos