Solved: Re: Remote Access VPM and SAML with Entra ID

Jakub132620

Dear Community,

I have security gateway 9000 series with 81.20 version. Our users authenticating to remote access VPN via SAML (Entra ID).

Auth works fine, but we facing problem with Access Roles and policies. I can see source user in logs but traffic didin't match to rule with access role where user account is present.

We have policies with Access Role and in this object are user form Entra ID.

In Entra we have two applications, first from gallery "Checkpoint Remote Secure Access VPN" for SAML auth, second custom APP used as Azure AD object in SMS.

Main problem is situation where we have rule with access role and this access role have user account form Azure AD, but traffic from user didin't hit expected rule and goes to clean up rule.

To integrate Remote Access VPN and Entra ID throught SAML we followed this video https://www.youtube.com/watch?v=yZVB3sJ3fZ8

We done almost everything form this post https://community.checkpoint.com/t5/General-Topics/Remote-Access-VPN-and-EntraID-Group-Authorization...

In one access role we have one user, but in feature we will be adding groups. In logs i can see source user in format name@domain

Does anyone know what the potential problem could be ?

PhoneBoy

Access Roles are calculated based on groups the user is a part of.
For on-premise AD, they are fetched via LDAP.
For EntraID, they are passed as part of the SAML assertion and the gateway must be configured to recognize them.
If there are no groups, then the role is calculated as "All Users."

Which means you cannot allow access to only a single user UNLESS they are a member of a group that only contains them as a member.

View solution in original post

the_rock

Are you able to attach a screenshot of the rule? Please blur out any sensitive data.

Best,
Andy

Jakub132620

Hi,

screenshots od rule and acces role is below

the_rock

Are there any hits on that rule at all?

Best,
Andy

Jakub132620

Not now, hits was when i don't have access role with user form AD in source. This is main problem. I successfuly auth to VPN via SAML, but traffic don't hit my rule.

the_rock

Do you see anything when you run pdp monitor user and then that username? If not, then thats your issue. However, if you do see results, maybe try disable rule, install policy-re-enable, install again, test.

Best,
Andy

Jakub132620

Below output drom pdp command executed on firewall

I tried your suggestion but without effect. In my opinion user in access role is not mapping to user from VPN authentication. But i don't know why.

the_rock

I think I know why. I saw somewhere name has to start with ext and that is a requirement. let me see if I can find it.

Best,
Andy

the_rock

@Jakub132620 Sorry my bad, name does not have to start with that, but it seems it should match with what you have on Azure side, so can you give it same name that starts with aad?

Best,
Andy

Jakub132620

How can i check this ?

In Entra i can see the same user.principalname as in on-prem AD

ishuyell

In SmartConsole, create an internal User Group object with this name (case-sensitive, spaces not supported):

EXT_ID_<Name_of_Role>

For example, for a role in the Identity Provider's interface with the name my_group, create an internal User Group object in SmartConsole with the name EXT_ID_my_group.

the_rock

Right, I recall seeing that, but cant find official documentation where it states to do so...

Best,
Andy

the_rock

Just spoke with a colleague and he said thats how he did it for a customer and it did work, was not in any doc nesessarily.

Best,
Andy

PhoneBoy

What is the Access Role referring to here, a specific user?

Jakub132620

Yes, currently in Access Role i want add signle user form Entra. Is it possible ?

PhoneBoy

Access Roles are calculated based on groups the user is a part of.
For on-premise AD, they are fetched via LDAP.
For EntraID, they are passed as part of the SAML assertion and the gateway must be configured to recognize them.
If there are no groups, then the role is calculated as "All Users."

Which means you cannot allow access to only a single user UNLESS they are a member of a group that only contains them as a member.

the_rock

Thats it, you got it! I actually went through my notes I had about it and saw my colleague wrote a doc indicating the same, even if its single user.

Best,
Andy

Ruan_Kotze

Are you utilising on-prem AD as well or pure Entra?

Jakub132620

Hi we using on-perm AD and Entra ID

the_rock

Also, make sure to follow these:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Best,
Andy

Jakub132620

I read the article you linked to. However, there's one point I don't understand. In the "Configuration in Microsoft Azure Portal" section, we create a custom application for downloading users.

My application was created according to point 1. However, I'm having trouble with point 2.

When I go to the Single Sign-ON tab in my application and select SAML, I can't select specific claims because the first step in the application requires configuring the Basic SAML configuration section. I configured the Basic SAML configuration section in the Checkpoint Remote Secure Access VPN application from the gallery, which is used for VPN authentication via SAML.

the_rock

Mind pasting part you are referring to?

Best,
Andy

Jakub132620

Configuring SAML as a Single Sign-On for your Azure application

Click on Home and select Azure Active Directory from the menu.
Click on Enterprise applications and go to All applications.
Select your application.
The application Overview window opens.
Click Single Sign-On.
Select SAML as the Single Sign-On method.
In the Set up Sign-On with SAML window, go to the User Attributes & Claims section and click the pencil icon to edit the claims.
The User Attributes & Claims window opens.
In the Required claim section, click Unique User Identifier (Name ID).
In the Manage claim window:
- Attribute option - Select.
- Source Attribute drop-down menu - Select user.localuserprincipalname.
Click Save to save the user claims, then close the window.
Back on the SAML Signing Certificate page, go to the Federation Metadata XML file and click Download.
The Federation Metadata XML is downloaded.

I can't set the appropriate claim because, as I wrote above, the first step in the application requires configuring the Basic SAML configuration section. I configured the Basic SAML configuration section in the Checkpoint Remote Secure Access VPN application from the gallery, which is used for VPN authentication via SAML.

the_rock

I see. That link is what we always give to customers if there is an issue, though we help them with the setup. Might be worth opening TAC case then.

Best,
Andy

NiladriSarkar

cluster object > vpn client > authentication > Multiple Auth client settings > Edit the IDP object > User Directories > can you confirm the settings there ?

is External user profiles enabled ?

Also, under Identity awareness is Remote Access checked in ?