This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ave_Joe
Collaborator
‎2025-06-03 09:06 AM

SAML Re-authentication Prompt During Secondary Connect – Configuration Inquiry

Remote Access VPN Setup

  • The Remote Access VPN community consists of 12 gateways.

  • Users typically connect to the primary gateway in the U.S. data center, which issues Office Mode IP addresses.

  • The VPN client utilizes Secondary Connect to reach resources behind other gateways in the community.

  • All gateways are configured for SAML-based Single Sign-On (SSO) using Microsoft Entra ID.

Issue

When a user accesses a resource behind a Secondary Connect gateway, the VPN client triggers a new SAML authentication flow. This opens the user's default browser and starts the SSO process again.

The repeated SAML prompt confuses users and interrupts their tasks, leading to a frustrating VPN experience and reduced productivity.

Question

Is there a configuration that would allow the VPN client to reuse the initial SAML authentication and avoid triggering a new browser-based authentication prompt when accessing resources behind a Secondary Connect gateway?

Could a single Remote Access identity provider configuration be applied across all 12 participating gateways to streamline the authentication process and eliminate redundant prompts?

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2025-06-03 01:50 PM

If you've configured things per either sk180948 or sk182042, you'll need to undo this configuration since the gateway sends an attribute to force reauthentication, which will also apply to Secondary Connect.
However, this creates a situation where if the user is authorized on the machine (i.e. with Entra ID) and the timeout hasn't expired, they will be able to connect to the VPN without authentication.
Whether this works the same way with Secondary Connect is a separate question.

If your environment is complex enough that Secondary Connect is needed, Harmony SASE might be worth exploring.
Not sure if Infinity Identity will help with this use case, but it will definitely centralize the configuration.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-27 02:13 PM
In response to PhoneBoy

Until we can support this use case with Secondary Connect, it might provide a better user experience to disable Secondary Connect.
Traffic will be tunneled from whatever gateway the user connects to when Secondary Connect is disabled.

See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

0 Kudos
Royi_Priov
Employee
Employee
‎2025-06-03 10:21 PM

Hi @Ave_Joe ,

I will start with a disclaimer that I'm not well familiar with VPN internal flows.

However, my assumption is that the issue you are facing is caused due to the fact the SAML configuration in Quantum requires different application on Entra side, and considered as separate "service". It means, each gateway acts as a different service, therefore there is no reuse of the SAML authentication.

In R82, we have introduced a new SAML I/S powered by Infinity Identity. Once you configure the Entra ID integration in Infinity Portal, it is automatically replicated to your Quantum management (prerequisite to this is a trust between the Quantum management and Infinity Portal, under "Infinity Services"). In this scenario, Infinity services are the "service provider" and the gateway consume the SAML authentication result from Infinity.

After explaining this, few notes:

  1. This I/S is currently consumed by Identity Awareness only. There is a planned effort to join VPN clients to this I/S, but I don't know the ETA for this. You are welcome to contact your SE and open RFE to get official answers from the relevant owners.
  2. This I/S will require R82 management and gateway (once step #1 will be finished for VPN clients).

 

I hope it helps.

 

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-04 06:27 AM
In response to Royi_Priov

I wasn't sure if the different "Service Providers" (in SAML terms) would allow credential reuse; thanks for confirming it doesn't.
That suggests @Ave_Joe that your requirement can't be met today with Quantum Security Gateways today. 
However it does sound like it will be possible in the future.

Harmony SASE can support this use case today.

0 Kudos
Ave_Joe
Collaborator
‎2025-06-16 12:59 PM
In response to PhoneBoy

Oh bother! 
I kind of figured that would be the case.

Moving this service to Harmony SASE is not an option as that would require additional licensing which is outside the scope of what is trying to be done at this time.

Cheers!

0 Kudos
Ave_Joe
Collaborator
‎2025-06-16 01:08 PM
In response to Royi_Priov

Thank you for the response.
I was hoping there might be a viable solution, but we’ll continue to monitor for new features or updates that could help improve the user experience moving forward.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2025-07-29 01:05 AM
In response to Ave_Joe

hey,

any news on this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events