Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Heath_H
Contributor

Identity Provider (SAML) and Access Roles for Mobile Access Blade

Running R80.40 JHF Take 48 with the MobileAccess UI EA hotfix applied.

I'm trying to set up SAML 2.0 authentication (IdentityProvider object) to use Okta for authentication to the Mobile Access Blade (SSL VPN).

The SAML authentication works (IdP initiated is a little odd because I have it set to use Endpoint Compliance, so you end up having to hit the SAML auth button after the compliance scan even through it was IdP initiated).

But the authenticated user is NOT matching any of the Access Roles.  These are Access Roles set up using the only LDAP AU defined on the system.  I know that the LDAP AU works because if I use RADIUS authentication to an Okta RADIUS agent, the same user matches the Access Roles and the appropriate web apps show up in the portal and SNX allows the correct access.  The logs for both situations are identical on the Check Point side (both show the user DN correctly).

What I'm trying to determine is if anyone has this sort of setup working or not?  I opened a TAC/Diamond case earlier last week stating that it wasn't working, but haven't really gotten a response yet and I want to know if anyone has actually gotten it to work correctly or not.

Note that this is strictly for remote access.  I don't care about using it for user-based rules for outbound access (at this time).

0 Kudos
7 Replies
Tim_Tielens
Contributor

Did you get any replies ?
I'm trying the same thing but with Azure MFA and conditional access.

We still use Legacy MAB policy
According to the logs, my SAML user is matching all the correct LDAP roles.
I'm matching the correct access roles in legacy MAB portal, but ssl/vpn (SNX) is not working.
It just tries to connect and then stops.

User DN is the same on another VS running Mobile Access...

0 Kudos
Heath_H
Contributor

I'm not using Azure as my SSO provider, I'm using Okta and LDAP groups so it's a simpler setup, I think.

 

That said, it's not in production yet, I verified it in a lab and have production configured, but haven't put it into use yet.

0 Kudos
Tim_Tielens
Contributor

I also have a lab running, but not on the ongoing JHF42 for R81.
Think my setup is more or less the same, except I use Azure AD and local LDAP groups.

0 Kudos
RickyDan
Contributor

While I am not doing your exact use-case, I hope this helps in some way.

I integrated AD into Okta and for that, you tell it what OU it should pull users from and what OU to pull groups from.

I configured the OKTA Checkpoint radius app to return group information (screenshot below).

okta-return-groups.PNG

On the firewall side, configure the access role to include the corresponding RADIUS group for the AD group. In my case, I have a MIS group in AD so I created RADIUS group RAD_MIS (the RAD_ is mandatory and then the group must match the AD name exactly).

mis-access-role.png

0 Kudos
Heath_H
Contributor

I finally set this up in my production environment.  The only difference is that I'm still running R80.40 in production but am running R81 in my lab.

When using SAML authentication in MAB in R80.40, the access roles don't appear to be working with SNX.  As soon as a user launches SNX, any traffic that should match the MAB inline policy (I'm using unified policy via an inline policy layer) is getting dropped by the MAB inline policy cleanup rule.  If the same user logs in via RADIUS and then launches SNX, everything works fine.

I have opened a support case for this and will update here if they are able to figure anything out.

I'm using Okta SAML for SSO and using the sAMAccountName as the naming attribute for production and lab setups.  I have tried setting the User Directory setting to use the LDAP Account unit default as well as set it to sAMAccountName and there was no difference.

Between my lab and production, I'm using the same Okta environment (different "app", but with identical settings) as well as the same LDAP Account unit setup (same credentials, same domain controllers).

0 Kudos
RickyDan
Contributor

I'm interested to know the outcome as well. Only after my post did I realize SAML authentication with Mobile Access is what I needed which is to have the Okta login as the login presented to the remote user. I was using RADIUS integration.

Can you share a screenshot of how your mobile access login portal looks with SAML auth?

0 Kudos
Douglas_Rich
Contributor

Was anyone able to make this happen?  From what I'm seeing the only method is Radius with Mobile Access.  But maybe Okta SAML can work with Remote Access.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events