Hello,
We currently want to enable MFA for our partners connected via IPsec tunnel.
To achieve this, we have an IAM (Keycloak) that we want to use to redirect partners, allowing them to access certain resources.
I found the following documentation on configuring Keycloak to authenticate user accounts for access to the SmartConsole: https://community.checkpoint.com/t5/Management/Keycloak-SAML-Authentication-for-SmartConsole/td-p/18...
Keycloak is configured as described in the above documentation (custom client scope) and as an Identity Provider for Browser-Based Authentication (cf. attached screens CHKP_config1 and 2)
What we are looking for is the remaining configuration needed to enable MFA. Specifically:
- What do we have to do to redirect VPN partners to the Keycloak Portal?
- Which source criteria in Security Policies (e.g., sources to target, Identity tags, Access Roles, User Groups) need to be set?
Additionally, are there any other configuration steps required ?
Thanks,
Regards,
Thibaut