This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PCAILLE
Explorer
‎2024-06-18 07:05 AM

Keycloak - Browser-Based authentication for VPN users

Hello,

We currently want to enable MFA for our partners connected via IPsec tunnel.

To achieve this, we have an IAM (Keycloak) that we want to use to redirect partners, allowing them to access certain resources.

I found the following documentation on configuring Keycloak to authenticate user accounts for access to the SmartConsole: https://community.checkpoint.com/t5/Management/Keycloak-SAML-Authentication-for-SmartConsole/td-p/18...

Keycloak is configured as described in the above documentation (custom client scope) and as an Identity Provider for Browser-Based Authentication (cf. attached screens CHKP_config1 and 2)

What we are looking for is the remaining configuration needed to enable MFA. Specifically:

  1. What do we have to do to redirect VPN partners to the Keycloak Portal?
  2. Which source criteria in Security Policies (e.g., sources to target, Identity tags, Access Roles, User Groups) need to be set?

Additionally, are there any other configuration steps required ?

Thanks,

Regards,

Thibaut

Preview file
49 KB
Preview file
28 KB
0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2024-06-18 03:37 PM

If your intention is to use Keycloak to authenticate Remote Access users, you will have to create another SAML provider (i.e. you cannot reuse your existing one) and follow the relevant steps.

0 Kudos
PCAILLE
Explorer
‎2024-06-18 11:22 PM
In response to PhoneBoy

Actually, the Keycloak provider is not currently used for any user authentication (we only followed the documentation part that focuses on the Keycloak configuration). We would like to set up authentication only for Remote Access users and not for SmartConsole access as described in the documentation.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-06-19 03:14 AM
In response to PCAILLE

Did you follow the links I sent?

Andy

Best,
Andy
0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2024-07-22 07:56 AM
In response to the_rock

Also, when we say Remote Access VPN users, that includes support for SSLVPN users too right?   Not just the fat endpoint security client?  RE: SAML Support for Remote Access VPN (checkpoint.com)

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-22 08:49 AM
In response to Daniel_Kavan

I assume it will work if invoked via MAB portal, which supports SAML auth.

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2024-07-22 09:38 AM
In response to PhoneBoy

It doesn't look like it.   In the known limitations section at the bottom of SAML Support for Remote Access VPN (checkpoint.com), it says 

  • This feature supports only IPsec VPN

     clients.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-22 11:32 AM
In response to Daniel_Kavan

Appears to be supported in Unified Policy mode: https://support.checkpoint.com/results/sk/sk170775 

Daniel_Kavan
MVP Gold
MVP Gold
‎2024-07-28 11:40 AM
In response to PhoneBoy

After spending a couple of days on this, I'm still spinning my wheels.    

SAML Support for Remote Access VPN (checkpoint.com)

RE: sslvpn web browser (not Endpoint client) 

I have mobile access running in unified mode configured now.  I login with the nice keycloak icon on the CP portal (on the keycloak server it says there is an active session), however I get re-directed back. to the check point portal Login page  and  get the message User is unauthorized.  I have a role set up that includes my EXT_ID_keycloak group.  It feels like I'm close but no cigar.  I'm going to re-read the tags and group attributes.

 

RE: SAML Support for Remote Access VPN (checkpoint.com) in the section "if you use an on-premises Active Directory (LDAP)

We have AD on prem, but we aren't using it with our Keycloak / SAML set up,  so when directions say to do A if you have AD and if you don't do B, I'm not sure which way to go.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-29 05:08 AM
In response to Daniel_Kavan

If the SAML assertion contains the relevant groups and you've configured the EXT_ID_ groups, you shouldn't need LDAP.

Daniel_Kavan
MVP Gold
MVP Gold
‎2024-07-29 05:55 AM
In response to PhoneBoy

Thanks, yes I have the EXT_ID_Test set which matches the Test group on keycloak.   I have a role_based rule in my unified policy with a newly created web application.   However, after I login - I get User is unauthorized.   I wonder if the username has to be unique to any internal users.  I'm going to try a unique username today.   Update -  a unique username didn't help.  User is unathorized...   I'm testing with sslvpn web apps, and not from  a fat client and not snx.   I'm not even getting to the screen where I connect with SNX.  I haven't seen any documentation to convince me that mobile access portal can support SAML with no SNX or fat client.   IOW, I'm trying to login with the edge browser to the portal.       

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-29 11:23 AM
In response to Daniel_Kavan

The MAB portal should support SAML without using SNX.
My guess is you'll need TAC to help troubleshoot what's happening in the SAML Assertion.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-06-18 04:33 PM

Hey Thibaut,

I agree with what Phoneboy said. Just follow below steps (youtube video by Peter Elmer is super helpful)

Andy

 

https://support.checkpoint.com/results/sk/sk172909

https://www.youtube.com/playlist?list=PLBfjYlNj4w1vJJBCdwJCAta4kvxI0t0Fb (part 4)

 

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events