After spending a couple of days on this, I'm still spinning my wheels.
SAML Support for Remote Access VPN (checkpoint.com)
RE: sslvpn web browser (not Endpoint client)
I have mobile access running in unified mode configured now. I login with the nice keycloak icon on the CP portal (on the keycloak server it says there is an active session), however I get re-directed back. to the check point portal Login page and get the message User is unauthorized. I have a role set up that includes my EXT_ID_keycloak group. It feels like I'm close but no cigar. I'm going to re-read the tags and group attributes.
RE: SAML Support for Remote Access VPN (checkpoint.com) in the section "if you use an on-premises Active Directory (LDAP)
We have AD on prem, but we aren't using it with our Keycloak / SAML set up, so when directions say to do A if you have AD and if you don't do B, I'm not sure which way to go.