I believe you'll have to create the IdP object multiple times, but you should be able to refer to the same IdP for both.
The reason for that is that the different services (Mobile Access versus Remote Access) have different return URLs. 

Per the SK:

• R80.40 Jumbo Hotfix Take 119 or higher is needed if the same Identity Provider is to be used for multiple blades (Mobile Access, Remote Access, Identity Awareness).

But when creating an Identity Provider in R81 (JHF 42), I have to pick the service for the IdP, and when setting up the IdP for the VPN Client -> Authentication, it will only show an IdP that is defined for Remote Access.

So that comment in the SK is confusing.

Right, you'll have to define that IdP twice (one for Remote Access, one for Mobile Access).

Per sk172909, it has this statement:

• R80.40 Jumbo Hotfix Take 119 or higher is needed if the same Identity Provider is to be used for multiple blades (Mobile Access, Remote Access, Identity Awareness).

But that doesn't appear to apply to the R81 release yet, correct?

The first release to have Remote Access SAML functionality was R80.40 via the JHF.
Looks like this issue was addressed shortly after that.
It took a few months before the functionality appeared in R81 and R81.10 where I assume they addressed this limitation prior to releasing it into the JHF stream.

At least that's how I interpret the situation.

is there a way to just have the gateway stop the reauthentication process at the end of the remote VPN timeout.  This is where our experience starts to get squirrely. Depending on the token/session timeout a user could receive different challenges.   If we could have the gateway stop the re-authentication at the end of the VPN connection time would solve this. (Background information about my questions is below) 

We are using Microsoft as our IDP, there appears to be a mix of how folks are being prompted for their passwords and their MFA challenge.  We utilize a hybrid AD environment which has Azure joined workstations, the session token time outs can change depending on when someone logins, locks their workstations or utilize their Microsoft MFA in another solution, like our cloud ESG.  These particular interactions will change the session and token time outs, which we believe will confuse some of our users.  We are engaging our gateway support firm to help understand if there are additional configurations available that can make the experience consistent? So far there does not seem to be anything available.

One thing we have noticed is that folks that utilize their 2factor with the MS authentication app or receive a phone call will be challenged again.  When the VPN client time out is reached these folks would receive another password prompt or another MFA prompt. The password challenge is not the concern, as it just waits for input on the workstation.  The concern is with the MFA challenge, as the user may just approve an MFA request out of the blue which could be a security issue or just confuse them and increase Helpdesk calls.

Thanks!

@JT_Ohio - you mean cancelling the reauthentication altogether? this will cause the remote client to disconnect and require it to connect again.

@Anat_Bar-Anan - Yes, if there is a way to cancel the re-authenticate altogether. Yes we do not want the client to start re-auth process.  Our time out is rather long so this would not interfere with a users workday experience.  Please let me know if there is a way to do this on this on the gateway or VPN client.

Keep in mind these features were added effectively post-release, so the number of changes we could do in the actual JHF was limited.
I suspect these steps won't be required in R81.20, where this feature is expected to be integrated.

As for using "literal" IE, even though it is deprecated for most end user usage, I believe many apps still use this component in the OS.
Not sure what the technical reason is for using it over, say, the end user's preferred external browser. 

Completely understand.  I am just trying to provide feedback in the hopes the the final product will actually be usable in a production environment.  And with IE11 being removed from Win10 by a number of enterprises, it would be in the best interest of Check Point and it's customers if you supported other options.

Hopefully the developers will figure out how to use the default browser as defined by the user, that or ensure proper support for key security protocols in the embedded browser and testing it with the top SAML providers in the market (MS, Okta, Ping, etc.) to be sure that it is fully supported.  I'd actually prefer that the client have an embedded browser that works the same across platforms and fully support necessary security protocols and APIs.  I would have thought that they would use the Chromium/WebKit engine as it is cross-platform and just strip out unnecessary features that could represent security issues.

I fully agree with you! Just tested this and without support for WebAuthN/FIDO2 this will be useless for many of our customers. Besides the lack of support of these techniques, using an old IE engine also causes a misformed IDP login page UI (background image is not loaded) in our setup. Hopefully development finds a way to move to default browser.

In order to use such default browsers as Chrome, FF or Edge you can set the "idp_browser_mode" parameter in trac.defaults to "default_browser" and restart TracSrvWrapper service. If you need to modify this parameter centrally for all users, you have two options:

1. Prepare custom installer with  help of VPN Configuration Utility
2. Modify trac_client_1.ttm on gateway and add following parameter

:idp_browser_mode (
    :gateway (
        :default (default_browser)
    )
)

Save file and install policy. Do not forget to backup trac_client_1.ttm before any changes.

@AndreiR - Thank you for that setting.  I just tested changing the setting in Trac.defaults on Mac (E85.30 Build 986200317) and can confirm that it opens the page in my default browser (Chrome) which supports WebAuthN with Okta.  I still haven't tried it in the trac.client_1.ttm file, which would be a lot easier as it's how we configure MEP for our clients today.

Are there other settings in trac_client_1.ttm that you can point us to?

Hi @Heath_H 

Good to hear that your tests are successful!

Just tested by changing trac_client_1.ttm but without success. I am using VSX R81.10 (no jumbo) with Harmony Endpoint E85.40.
I will dive in further tonight.

Leon

I'm testing on R81.  I tried going to R81.10, and it didn't go well so I reverted to R81, which was much more stable for me.

I'll try testing via the trac_client_1.ttm file as well and see if I can get it working or not and report back.

heath

I can get it working only when changing trac.defaults on client, just like you.

I've changed:

idp_browser_mode STRING embedded GW_USER 1

to:

idp_browser_mode STRING default_browser GW_USER 1

Any word from CP devs on if/when we will be able to configure that setting via the trac_client_1.ttm file on the server/gateway?  Asking users to manually edit that file is a non-starter in a corporate environment, and I haven't seen documentation on editing it in the DMG/installer file like you can do with the Windows client (build a custom MSI).

Hi @Heath_H ,

Please follow item #2 from my comment (https://community.checkpoint.com/t5/Remote-Access-VPN/SAML-Support-for-Remote-Access-VPN/m-p/132996/.... Do not forget to save trac_client_1.ttm and install policy.

VPN client will receive idp_browser_mode parameter upon next connection to your gateway. The setting will have effect starting the second connection.

Hi AndreiR,

That is exactly what I did.

I performed the following steps:

• changed OBSCURE_FILE in trac.defaults to 0 in order to make trac.config readable
• added the property to trac_client_1.ttm on the gateway and did a policy install
• reconnected the client and successfully verified that the idp_browser_mode property was added to the trac.config and set to default_browser

result: client keeps on using the embedded browser

Additional steps taken:

• modified idp_browser_mode proaperty in trac.defaults from embedded to default_browser

result: client uses default browser

Seems like the client ignores the property from the gateway at all.

Versions used:
Gateway: R81.10 (VSX)
Client: Harmony Endpoint E85.40

UPDATE: I have the exact same behavior when using standalone VPN client: Check Point Mobile for Windows E86.00.
UPDATE 2: Same goes for Endpoint Security VPN E86.00
UPDATE 3: Also tested a freshly installed non-VSX gateway but without success

Leon

Hi @leonfranken ,

There might be a bug in SAML implementation. I will assign engineer to double-check it.

Hi @AndreiR 

Thanks for your update, just let me know if I can assist with anything.

Leon

Hi @AndreiR 

Do you have an update regarding this issue?

Thanks,
Leon

In case anyone else finds this thread and are wondering about the state of this issue, I got this response from Check Point Support: 

"I got confirmation from R&D Team that changing idp_browser_mode via the trac_client_1.ttm file is not yet supported and there is no centrally managed way to introduce this parameter change. This option is set be implemented in 2023."

For mobile clients, we are generally wrappers for the built-in VPN functionality provided by the OS.
Which may prevent us from implementing this functionality on mobile devices.

Thanks @PhoneBoy  . We had Cisco Any Connect prior and utilized SAML with Azure MFA.  Loosing this functionality is difficult..We will look at other options.. Thanks! 

adding to @PhoneBoy, a solution we've suggested to customers involves MDM compliance checks and capsule VPN (for Android) or Capsule Connect (for iOS). if you'd like to read about it - please refer to sk98201(MDM Cooperative Enforcement for Mobile clients), and if you're working with MS Intune, you can also have a look at sk170415 (Capsule Connect iOS MDM CE in Intune) , and sk170320 (Capsule VPN setup in Intune MDM)