Dear Community,

I have security gateway 9000 series with 81.20 version. Our users authenticating to remote access VPN via SAML (Entra ID).

Auth works fine, but we facing problem with Access Roles and policies. I can see source user in logs but traffic didin't match to rule with access role where user account is present.

We have policies with Access Role and in this object are user form Entra ID.

In Entra we have two applications, first from gallery "Checkpoint Remote Secure Access VPN" for SAML auth, second custom APP used as Azure AD object in SMS.

Main problem is situation where we have rule with access role and this access role have user account form Azure AD, but traffic from user didin't hit expected rule and goes to clean up rule.

To integrate Remote Access VPN and Entra ID throught SAML we followed this video https://www.youtube.com/watch?v=yZVB3sJ3fZ8

We done almost everything form this post https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-and-EntraID-Group-Authorization...

In one access role we have one user, but in feature we will be adding groups. In logs i can see source user in format name@domain

Does anyone know what the potential problem could be ?