@PhoneBoy Here is the output of my testing:
1- I did create a local group, added to it the LDAP group with the same name and external (generic*) inside and then added that local group to the access role and that failed.
2- Made the local group alone with no inside groups and still no difference (if checkpoint match by name only), I put only LDAP group inside and in access roles still no luck.
3- Created identity tag with same name , I validated the name from SAML assertions correct. So right now the access role have 3 entries, one for local group with same name with no inside groups, one identity tag with same name and one LDAP group with same name and still fails.
4- When I tested this in mobile access I added 3 separate rules, 2 each for specific groups (including local and LDAP) and third for external (generic*) each having a unique website to identify which matched which after authentication and I can tell you, the external is the only one that worked. Please find screenshots of the configuration I have in my test lab.
Not sure what else to test , or I might be doing something wrong in between. So as far as I am experienced with checkpoint I know every feature needs a trigger to work. in Fortinet for example, I need to create a match for the SAML assertion group name one by one if I want to, in Checkpoint is there such a feature to enable it to match with what it gets in group_attr ? maybe thats the trick ? I appreciate your feedback in advance !
-- Dawoud