Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PCAILLE
Explorer

Keycloak - Browser-Based authentication for VPN users

Hello,

We currently want to enable MFA for our partners connected via IPsec tunnel.

To achieve this, we have an IAM (Keycloak) that we want to use to redirect partners, allowing them to access certain resources.

I found the following documentation on configuring Keycloak to authenticate user accounts for access to the SmartConsole: https://community.checkpoint.com/t5/Management/Keycloak-SAML-Authentication-for-SmartConsole/td-p/18...

Keycloak is configured as described in the above documentation (custom client scope) and as an Identity Provider for Browser-Based Authentication (cf. attached screens CHKP_config1 and 2)

What we are looking for is the remaining configuration needed to enable MFA. Specifically:

  1. What do we have to do to redirect VPN partners to the Keycloak Portal?
  2. Which source criteria in Security Policies (e.g., sources to target, Identity tags, Access Roles, User Groups) need to be set?

Additionally, are there any other configuration steps required ?

Thanks,

Regards,

Thibaut

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

If your intention is to use Keycloak to authenticate Remote Access users, you will have to create another SAML provider (i.e. you cannot reuse your existing one) and follow the relevant steps.

0 Kudos
PCAILLE
Explorer

Actually, the Keycloak provider is not currently used for any user authentication (we only followed the documentation part that focuses on the Keycloak configuration). We would like to set up authentication only for Remote Access users and not for SmartConsole access as described in the documentation.

0 Kudos
the_rock
Legend
Legend

Did you follow the links I sent?

Andy

0 Kudos
Daniel_Kavan
Advisor
Advisor

Also, when we say Remote Access VPN users, that includes support for SSLVPN users too right?   Not just the fat endpoint security client?  RE: SAML Support for Remote Access VPN (checkpoint.com)

 

 

0 Kudos
PhoneBoy
Admin
Admin

I assume it will work if invoked via MAB portal, which supports SAML auth.

0 Kudos
Daniel_Kavan
Advisor
Advisor

It doesn't look like it.   In the known limitations section at the bottom of SAML Support for Remote Access VPN (checkpoint.com), it says 

  • This feature supports only IPsec VPN

     clients.

0 Kudos
PhoneBoy
Admin
Admin

Appears to be supported in Unified Policy mode: https://support.checkpoint.com/results/sk/sk170775 

Daniel_Kavan
Advisor
Advisor

After spending a couple of days on this, I'm still spinning my wheels.    

SAML Support for Remote Access VPN (checkpoint.com)

RE: sslvpn web browser (not Endpoint client) 

I have mobile access running in unified mode configured now.  I login with the nice keycloak icon on the CP portal (on the keycloak server it says there is an active session), however I get re-directed back. to the check point portal Login page  and  get the message User is unauthorized.  I have a role set up that includes my EXT_ID_keycloak group.  It feels like I'm close but no cigar.  I'm going to re-read the tags and group attributes.

 

RE: SAML Support for Remote Access VPN (checkpoint.com) in the section "if you use an on-premises Active Directory (LDAP)

We have AD on prem, but we aren't using it with our Keycloak / SAML set up,  so when directions say to do A if you have AD and if you don't do B, I'm not sure which way to go.

0 Kudos
PhoneBoy
Admin
Admin

If the SAML assertion contains the relevant groups and you've configured the EXT_ID_ groups, you shouldn't need LDAP.

Daniel_Kavan
Advisor
Advisor

Thanks, yes I have the EXT_ID_Test set which matches the Test group on keycloak.   I have a role_based rule in my unified policy with a newly created web application.   However, after I login - I get User is unauthorized.   I wonder if the username has to be unique to any internal users.  I'm going to try a unique username today.   Update -  a unique username didn't help.  User is unathorized...   I'm testing with sslvpn web apps, and not from  a fat client and not snx.   I'm not even getting to the screen where I connect with SNX.  I haven't seen any documentation to convince me that mobile access portal can support SAML with no SNX or fat client.   IOW, I'm trying to login with the edge browser to the portal.       

0 Kudos
PhoneBoy
Admin
Admin

The MAB portal should support SAML without using SNX.
My guess is you'll need TAC to help troubleshoot what's happening in the SAML Assertion.

0 Kudos
the_rock
Legend
Legend

Hey Thibaut,

I agree with what Phoneboy said. Just follow below steps (youtube video by Peter Elmer is super helpful)

Andy

 

https://support.checkpoint.com/results/sk/sk172909

https://www.youtube.com/playlist?list=PLBfjYlNj4w1vJJBCdwJCAta4kvxI0t0Fb (part 4)

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events