Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
796570686578
Collaborator
Jump to solution

Mobile Access Portal with SAML, questions regarding the policy

Hello everyone,

 

I am currently working on a PoC for a customer to implement SAML and MFA for their Mobile Access Portal. This part, I was able to get to work in my lab but I am having trouble understanding how to adapt the Mobile Access Policy. This is about the only customer I know using Mobile Access with Application Access via SNX and since they mainly manage it themselves, I am not quite knowledgeable on this topic.

 

Currently they are using the Legacy Policy in SmartDashboard. From what it seems, users are authenticated to Applications via RADIUS.

Now during the SAML configuration, I had to add an External User Profile named generic* in SmartDashboard and add this profile/user to the group specified as the source in the Mobile Access Policy in SmartDashboard. Without the generic* user in the policy/group, I was not able to authenticate via SAML.

 

Now this brings up a few questions, since adding the generic* user to every group/rule would allow any user to access any application.

- Do I misunderstand how the policy works? Is there still a way to only allow access to certain applications to certain users?

- I tried to switch to Unified Access Policy but Access Roles using Azure AD are not allowed in a rule with a Mobile Access Application. Is there a workaround?

 

I'm sure I am missing something here, because it doesn't really make sense to me...

 

Thank you and best regards

 

1 Solution

Accepted Solutions
796570686578
Collaborator

Hey phoneboy,

It's just Azure AD Access Roles that dont work with Mobile Access Applications:

2024-05-02 13_44_29-Install Policy Details.png

 

I was finally able to get it to work though, using the following SK: https://support.checkpoint.com/results/sk/sk177267 

The youtube video by peter elmer explains it really well. I had to manually edit the manifest file of the application, add the groups there and also create local empty user groups in SmartConsole.

But would have been nice nonetheless if it worked with Azure Access Roles directly

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Access Roles are supported in the Unified Policy per official documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...
Where are you seeing it's not supported?

0 Kudos
796570686578
Collaborator

Hey phoneboy,

It's just Azure AD Access Roles that dont work with Mobile Access Applications:

2024-05-02 13_44_29-Install Policy Details.png

 

I was finally able to get it to work though, using the following SK: https://support.checkpoint.com/results/sk/sk177267 

The youtube video by peter elmer explains it really well. I had to manually edit the manifest file of the application, add the groups there and also create local empty user groups in SmartConsole.

But would have been nice nonetheless if it worked with Azure Access Roles directly

0 Kudos
PhoneBoy
Admin
Admin

Glad you got it working, thanks for sharing!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events