This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
796570686578
Collaborator
2 weeks ago
Jump to solution

Mobile Access Portal with SAML, questions regarding the policy

Hello everyone,

 

I am currently working on a PoC for a customer to implement SAML and MFA for their Mobile Access Portal. This part, I was able to get to work in my lab but I am having trouble understanding how to adapt the Mobile Access Policy. This is about the only customer I know using Mobile Access with Application Access via SNX and since they mainly manage it themselves, I am not quite knowledgeable on this topic.

 

Currently they are using the Legacy Policy in SmartDashboard. From what it seems, users are authenticated to Applications via RADIUS.

Now during the SAML configuration, I had to add an External User Profile named generic* in SmartDashboard and add this profile/user to the group specified as the source in the Mobile Access Policy in SmartDashboard. Without the generic* user in the policy/group, I was not able to authenticate via SAML.

 

Now this brings up a few questions, since adding the generic* user to every group/rule would allow any user to access any application.

- Do I misunderstand how the policy works? Is there still a way to only allow access to certain applications to certain users?

- I tried to switch to Unified Access Policy but Access Roles using Azure AD are not allowed in a rule with a Mobile Access Application. Is there a workaround?

 

I'm sure I am missing something here, because it doesn't really make sense to me...

 

Thank you and best regards

 

1 Solution

Accepted Solutions
796570686578
Collaborator
2 weeks ago
In response to PhoneBoy
Jump to solution

Hey phoneboy,

It's just Azure AD Access Roles that dont work with Mobile Access Applications:

2024-05-02 13_44_29-Install Policy Details.png

 

I was finally able to get it to work though, using the following SK: https://support.checkpoint.com/results/sk/sk177267 

The youtube video by peter elmer explains it really well. I had to manually edit the manifest file of the application, add the groups there and also create local empty user groups in SmartConsole.

But would have been nice nonetheless if it worked with Azure Access Roles directly

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

Access Roles are supported in the Unified Policy per official documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...
Where are you seeing it's not supported?

0 Kudos
796570686578
Collaborator
2 weeks ago
In response to PhoneBoy
Jump to solution

Hey phoneboy,

It's just Azure AD Access Roles that dont work with Mobile Access Applications:

2024-05-02 13_44_29-Install Policy Details.png

 

I was finally able to get it to work though, using the following SK: https://support.checkpoint.com/results/sk/sk177267 

The youtube video by peter elmer explains it really well. I had to manually edit the manifest file of the application, add the groups there and also create local empty user groups in SmartConsole.

But would have been nice nonetheless if it worked with Azure Access Roles directly

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to 796570686578
Jump to solution

Glad you got it working, thanks for sharing!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events