This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PCAILLE
Explorer
‎2024-06-18 07:05 AM

Keycloak - Browser-Based authentication for VPN users

Hello,

We currently want to enable MFA for our partners connected via IPsec tunnel.

To achieve this, we have an IAM (Keycloak) that we want to use to redirect partners, allowing them to access certain resources.

I found the following documentation on configuring Keycloak to authenticate user accounts for access to the SmartConsole: https://community.checkpoint.com/t5/Management/Keycloak-SAML-Authentication-for-SmartConsole/td-p/18...

Keycloak is configured as described in the above documentation (custom client scope) and as an Identity Provider for Browser-Based Authentication (cf. attached screens CHKP_config1 and 2)

What we are looking for is the remaining configuration needed to enable MFA. Specifically:

  1. What do we have to do to redirect VPN partners to the Keycloak Portal?
  2. Which source criteria in Security Policies (e.g., sources to target, Identity tags, Access Roles, User Groups) need to be set?

Additionally, are there any other configuration steps required ?

Thanks,

Regards,

Thibaut

Preview file
49 KB
Preview file
28 KB
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2024-06-18 03:37 PM

If your intention is to use Keycloak to authenticate Remote Access users, you will have to create another SAML provider (i.e. you cannot reuse your existing one) and follow the relevant steps.

0 Kudos
PCAILLE
Explorer
‎2024-06-18 11:22 PM
In response to PhoneBoy

Actually, the Keycloak provider is not currently used for any user authentication (we only followed the documentation part that focuses on the Keycloak configuration). We would like to set up authentication only for Remote Access users and not for SmartConsole access as described in the documentation.

0 Kudos
the_rock
Legend
Legend
‎2024-06-19 03:14 AM
In response to PCAILLE

Did you follow the links I sent?

Andy

0 Kudos
Daniel_Kavan
Advisor
13 hours ago
In response to the_rock

Also, when we say Remote Access VPN users, that includes support for SSLVPN users too right?   Not just the fat endpoint security client?  RE: SAML Support for Remote Access VPN (checkpoint.com)

 

 

0 Kudos
PhoneBoy
Admin
Admin
12 hours ago
In response to Daniel_Kavan

I assume it will work if invoked via MAB portal, which supports SAML auth.

0 Kudos
Daniel_Kavan
Advisor
12 hours ago
In response to PhoneBoy

It doesn't look like it.   In the known limitations section at the bottom of SAML Support for Remote Access VPN (checkpoint.com), it says 

  • This feature supports only IPsec VPN

     clients.

0 Kudos
PhoneBoy
Admin
Admin
10 hours ago
In response to Daniel_Kavan

Appears to be supported in Unified Policy mode: https://support.checkpoint.com/results/sk/sk170775 

0 Kudos
the_rock
Legend
Legend
‎2024-06-18 04:33 PM

Hey Thibaut,

I agree with what Phoneboy said. Just follow below steps (youtube video by Peter Elmer is super helpful)

Andy

 

https://support.checkpoint.com/results/sk/sk172909

https://www.youtube.com/playlist?list=PLBfjYlNj4w1vJJBCdwJCAta4kvxI0t0Fb (part 4)

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events