Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tecnico
Participant

Remote Access VPN with AWS Identity Center SAML

Hi, I am going to explain you what we need next: I have followed the procedure outlined in the following link to create the application in the Identity Center: https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html. Additionally, I have followed a similar procedure to integrate it with the Checkpoint VPN as described here: https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/. In relation to Checkpoint, I have utilized the procedure provided in this document: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

Specifically, I am unsure about step 6 mentioned by Checkpoint, which involves Checkpoint accessing the user database in the Identity Center through the established connection. The excerpt from step 6 is as follows:

Step 6: Configure the Group Authorization

Authorization is applicable to the following types of groups:

Identity Provider groups: These groups are sent by the Identity Provider.
Internal groups: These groups are received from User Directories configured in SmartConsole.

To configure the Identity Provider groups:

Within the Identity Provider interface, configure roles.
Within the Identity Provider interface, set up a SAML claim on the Identity Provider.
In SmartConsole, create an internal User Group object with the following name (case-sensitive): EXT_ID_<Name_of_Role>. For example, if there is a role named "my_group" in the Identity Provider's interface, create an internal User Group object in SmartConsole with the name "EXT_ID_my_group".

Please note that Identity Tags are not supported for Remote Access connections. Identity Provider groups and Internal groups (e.g., LDAP) are utilized for authorization.

There are two types of authorization:

Remote Access VPN Community: This grants users access to the Remote Access VPN. For more information, refer to the User and Client Authentication for Remote Access documentation.
Access Roles (requires the Identity Awareness Software Blade): This grants access to users based on policy rules and user identities. For more details, please refer to the R81.10 Identity Awareness Administration Guide, specifically the section on "Creating Access Roles."

To apply authorization through Remote Access VPN, add the relevant group to the Remote Access VPN.

To apply authorization through Access Roles, add the applicable group to an Access Role in the Access Control Policy.

The purpose of this configuration is to allow users connecting to the Checkpoint client VPN to log in with users from the Identity Center and utilize two-factor authentication for VPN access.

 

Thanks for all.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

With SAML authentication, the user’s groups are passed to the gateway as part of the SAML assertion (if the IdP is configured correctly).
In order for Check Point to utilize these groups, you must create local groups named EXT_ID_GroupName where GroupName is the case sensitive name of the group as defined in the IdP.
These groups can be assigned to Access Roles.

tecnico
Participant

Hi,

 

Yes, I know this and I have created the rule and the group exactly.

But I don´t know how do the AWS side.

 

Thanks for all.

0 Kudos
tecnico
Participant

Hi,

 

Could someone help me with the AWS side please?

0 Kudos
PhoneBoy
Admin
Admin

Not sure anyone in the community has configured this, or at least I haven't seen any threads related to this beyond yours.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events