This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Heath_H
Contributor
‎2021-10-01 07:31 AM
Jump to solution

Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

I'm trying to put web apps in Mobile Access that leverage SAML based SSO (we use Okta, but it's the same for any SAML SSO provider).

 

The challenge is, that the application redirects to the SAML IdP just fine, but when the IdP redirects back to the relying party (SP), it is using the configured Relying Party URL.  So we need to send the IdP traffic through Mobile Access in order for MAB to be able to rewrite those URLs as they contain the SAML assertion that needs to go to the SP.

I have tried adding the SAML IdP URL as a web application and including it in the rules.  This almost works, but it seems that the URL rewriting code is either not able to or just isn't updating the SRI in the URL causing the browser to not load it as the SRI value doesn't match the rewritten URL.

I had a TAC case opened with my Diamond Engineer (6-0002161253), but it got closed in the transition from one engineer to another because the debugs that I had provided to the case got lost and I didn't want to go through an gather debugs all over for something that I clearly documented as an issue with the MAB URL rewrite.

I wanted to ask the community if anyone had been able to successfully add a web application to MAB that used SAML authentication and, if so, now.

Thanks,

heath

Labels
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Tuesday
In response to Daniel_Kavan
Jump to solution

The root post for this relates to backend apps that require SAML authentication to access.
Meanwhile, the frontend of MAB very much supports SAML authentication.
It's even in the documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2021-10-04 05:26 PM
Jump to solution

This may not be supported.
@MaksimBahunou can you confirm?

0 Kudos
MaksimBahunou
Employee
Employee
‎2021-10-04 11:42 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy , you are right. Such configuration is not supported.

0 Kudos
Heath_H
Contributor
‎2021-10-05 04:59 AM
In response to MaksimBahunou
Jump to solution

So what is the answer for that situation as more and more applications are leveraging SSO, including internal ones.  Further, SRI is a security measure and I only see it's use increasing in web-based applications.

Is the recommendation to move to something like an F5 in a DMZ that better handle URL rewriting for internal web applications coupled with SSO and MFA and just avoid the need for an SSL VPN entirely?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-06 09:11 AM
In response to Heath_H
Jump to solution

We have a different solution that handles this use case better called Harmony Connect.
The deployment/management model is a bit different, but it achieves the same result.

Daniel_Kavan
Advisor
Tuesday
In response to PhoneBoy
Jump to solution

Is this still the case today?   Harmony  Connect is recommended over sslvpn with SAML and web apps?  

It's odd that saml sso is supported for snx, Endpoint Security fat clients but not web apps.   It's not supported with mobile access portal or the identity awareness browser portal?   I'll check out the harmony connect, it looks like its a solution with the infinity portal.   Can it it be used to access on premise resources?

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to Daniel_Kavan
Jump to solution

Since that post was made, Harmony SASE is now the solution.
The Mobile Access Portal itself supports SAML authentication (has since R80.40).

Are you talking about a backend app (accessible via the MAB frontend) that requires SAML authentication?

0 Kudos
Daniel_Kavan
Advisor
Tuesday
In response to PhoneBoy
Jump to solution

TAC just closed my case referencing this post, that SAML authentication wasn't supported for MAB web applications.   No, I don't need SAML for the backend apps, I'm just trying to get to them!

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to Daniel_Kavan
Jump to solution

The root post for this relates to backend apps that require SAML authentication to access.
Meanwhile, the frontend of MAB very much supports SAML authentication.
It's even in the documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events