Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Andre91
Explorer

Proxy-Configuration on SAML Authentication to Azure

Hey community,

we have set up SAML-authentication to azure for our remote clients on our Cluster-XL (R81.10). We wanted to enable single-sign-on, so when the windows-credentials are inserted on windows login mask, the endpoint security client starts and connects with the credentials on the azure active-directory before windows-login runns through.

So far it works, till the client wants to connect. In the status bar the connection continues till "Connecting to site" then after some minutes we get the error "Negotiation with site failed".

On our other client we noticed, that the client connects not until windows login is ready and desktop is shown. Than the client opens itself and the SAML-login runs through correctly.

We found a difference in proxy-configuration on both clients. We use a proxy-skript, that lies on a webserver that is only accessible when vpn-tunnel is running. On the Endpoint Connect Client, we use the "No Proxy"-Setting. On both clients "auto-connect" for the site is enabled and SDL is enabled too. 

Is there a "best-practise" for proxy-configuration when using SAML-authentication or can you give us tipps how you use proxy-scripts on SAML-authentication?

Thanks so far and best regards

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

What you're attempting to do is currently not supported.
Specifically, SDL and SAML are not supported together.

0 Kudos
Alex_Lewis
Contributor

Is there an alternative to SDL when using SAML? I tried machine tunnel before logon but that gets shutdown as soon as you enter your credentials to login to Windows. Without SDL, several things fail (drive mappings, etc) right after login because of the lag before the VPN client starts.

0 Kudos
PhoneBoy
Admin
Admin

Yes, this is expected behavior: the machine tunnel shuts down after the user logs in so the user-specific tunnel can be brought up.

There is a customer release that offers support for SDL with SAML.
If you have an urgent need for this functionality, please consult with your local Check Point office.
I expect this to be added to mainstream releases in the future (though do not have a timeline for this).

0 Kudos
Alex_Lewis
Contributor

Is there any way to improve the end-user experience for Remote VPN w/SAML?  I tried the RFE process to get the customer release that support SDL with SAML to no avail.  This has been talked about for quite some time and I can't believe that CP still has not released a solution to make SAML auth VPN a viable solution.

0 Kudos
PhoneBoy
Admin
Admin

Did you contact your local office as instructed?
They should be able to contact our Solution Center internally to obtain this release.
Note it is tied to a specific version/JHF level.

0 Kudos
Alex_Lewis
Contributor

Yes, they sent me the RFE link and I sent them the Feedback Reference # after I submitted the RFE (3 months ago now). Crickets since then. 

0 Kudos
PhoneBoy
Admin
Admin

That process does not involve Solution Center.
In any case, I will contact your account team on the backend to ensure this is handled correctly.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events