This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andre91
Explorer
‎2022-11-14 11:14 AM

Proxy-Configuration on SAML Authentication to Azure

Hey community,

we have set up SAML-authentication to azure for our remote clients on our Cluster-XL (R81.10). We wanted to enable single-sign-on, so when the windows-credentials are inserted on windows login mask, the endpoint security client starts and connects with the credentials on the azure active-directory before windows-login runns through.

So far it works, till the client wants to connect. In the status bar the connection continues till "Connecting to site" then after some minutes we get the error "Negotiation with site failed".

On our other client we noticed, that the client connects not until windows login is ready and desktop is shown. Than the client opens itself and the SAML-login runs through correctly.

We found a difference in proxy-configuration on both clients. We use a proxy-skript, that lies on a webserver that is only accessible when vpn-tunnel is running. On the Endpoint Connect Client, we use the "No Proxy"-Setting. On both clients "auto-connect" for the site is enabled and SDL is enabled too. 

Is there a "best-practise" for proxy-configuration when using SAML-authentication or can you give us tipps how you use proxy-scripts on SAML-authentication?

Thanks so far and best regards

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2022-11-14 01:41 PM

What you're attempting to do is currently not supported.
Specifically, SDL and SAML are not supported together.

0 Kudos
Alex_Lewis
Contributor
‎2023-08-11 05:09 AM
In response to PhoneBoy

Is there an alternative to SDL when using SAML? I tried machine tunnel before logon but that gets shutdown as soon as you enter your credentials to login to Windows. Without SDL, several things fail (drive mappings, etc) right after login because of the lag before the VPN client starts.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-23 02:58 PM
In response to Alex_Lewis

Yes, this is expected behavior: the machine tunnel shuts down after the user logs in so the user-specific tunnel can be brought up.

There is a customer release that offers support for SDL with SAML.
If you have an urgent need for this functionality, please consult with your local Check Point office.
I expect this to be added to mainstream releases in the future (though do not have a timeline for this).

0 Kudos
Alex_Lewis
Contributor
‎2024-03-13 06:53 AM
In response to PhoneBoy

Is there any way to improve the end-user experience for Remote VPN w/SAML?  I tried the RFE process to get the customer release that support SDL with SAML to no avail.  This has been talked about for quite some time and I can't believe that CP still has not released a solution to make SAML auth VPN a viable solution.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-13 08:14 AM
In response to Alex_Lewis

Did you contact your local office as instructed?
They should be able to contact our Solution Center internally to obtain this release.
Note it is tied to a specific version/JHF level.

0 Kudos
Alex_Lewis
Contributor
‎2024-03-13 08:33 AM
In response to PhoneBoy

Yes, they sent me the RFE link and I sent them the Feedback Reference # after I submitted the RFE (3 months ago now). Crickets since then. 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-13 11:50 AM
In response to Alex_Lewis

That process does not involve Solution Center.
In any case, I will contact your account team on the backend to ensure this is handled correctly.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events