That’s a good question.
@AndreiR do you know?

@PhoneBoy  I don't know for sure. Better check with gateway team.

We checked this and confirmed that this will only work where the gateway has exactly the same authentication factor/factors as the realm on the primary gateway.
This is by design. 

Understood, thank you for looking into it!

Hi,

thanks for your question.

To be able to configure SAML for VPN RA, you'll need to also upgrade your MGMT to the JHF.

As for R81 - feature is planned to be available in next R81 JHF - currently scheduled for end of July. 

I have management with R81 latest jumbo hotfix and Gateway R80.40 take 141. I think the management is the problem then. will have to wait for the new JHF of R81

updating that next R81 JHF scheduled to mid-end of August

Currently as per sk172909 for SAML Authentication Configuration you require the following: 

1. Check Point Security Gateway running R80.40 Jumbo Hotfix Accumulator Take 114 or higher.
2. Check Point Security Management running R80.40 Jumbo Hotfix Accumulator Take 114 or higher.
3. Endpoint Security Client for Windows (starting from version E84.70 build 986102705), or  macOS Endpoint Security Client version that can be downloaded here: (Endpoint Security VPN).
4. The latest Smartconsole Build for R80.40 Build 423 or higher. Without this the portal page won't be visible. Refer to sk165473 for more details. 
5. If your MGMT server is on R81 or R81.10 the Portal Page will not be visible. Both the Gateway and Mgmt Server need to be on R80.40. Integration seems to be only for R80.40 Gateways, Cluster's and VSX currently. 

@meeruji  - any updates on the version of the VPN client for macOS?  Especially when SAML support will go mainstream for macOS like it has for Windows?

The version on that linked page is based on E84.30, which has a bug that causes the client to drop the tunnel after successful re-authentication.  It was fixed in the E84.70 release of the client.  So if I want SAML support to improve user experience, I have to negatively impact user experience by introducing a bug in the client.

The macOS version at the link you provided is almost 6 months old now.

E85.30 should have this functionality.
At this writing, the clients are in Early Availability.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Without validating the CRL there is no way for the client to know if the remote certificate should be trusted as it could have been revoked.
Even if it is possible (don’t believe it is) it’s not recommended to disable this check.

Thanks, although it's only the new browser component for SAML doing the CRL check. For non-SAML VPN connections the Endpoint Security client does not complain about being unable to perform a CRL check on the same certificate (e.g. retrieving the site details/policy via HTTPS) - so presumably it is not checking beyond the certificate's CA trust.

Sounds like the easiest option is an external CA cert.

That...could be a bug and might be worth a TAC case.

As far as I know, Remote Access SAML will be added to the R81/R81.10 JHF in the coming weeks.
@Royi_Priov can you speak to the Identity Sharing implications here as the release notes for this mention a planning session with pre-sales?

In regards to role-based access, if you have on-prem AD DCs then just continue using traditional IA for roles (ADQ / Identity Collector). We're matching UPN format SAML logins against ADQ for role-based access, so the same AD roles can be used on any gateway.

Do you know if MAB SNX (ssl vpn) + SAML auth will be supported ?
(legacy portal)

Tim - that was already supported in R80.40.  I can't recall the specifics, but it works pretty well because it's already browser based to login to MAB.

h

The only thing that I can find is this:
How to use SNX with SAML authentication method in Mobile Access (checkpoint.com)

And that is a confusing sk.

I'm using legacy policy, unified is not working for us, too much changes.
If it's supported I need to get TAC involved I guess.

It's basically the same setup method.  Set up the IdP as you normally would, just select "Mobile Access" for the service.  Then on the gateway in Mobile Access, under Authentication, create a new login option.  Select that IdP that you created and then set the rest of the options.  Set the priority of items if you want multiple login options.

That should be all you need to do.

Are you using Legacy policy or Unified Policy?  SNX with SAML requires that you be using Unified Policy (and anything to get off of SmartDashboard is a plus, in my book).

Yeah I know, I did all that 😄
I've read all the sk's for IA and SAML and everything works , except snx wont connect.

When i'm connected to corporate network snx works, when i'm out of the office it wont connect.
Will do so browser debugs tomorrow.

*UPDATE*

Did some browser debugs, and found nothing... just that the process stops, no errors or whatever.
Did cvpnd debug, found nothing....

Decided to delete the whole development domain and start from scratch (since I modified so much with every info I found in all the sk's) and start from scratch.

Setup a VS, created a saml identity provider (updated url's in azure application) and did the MAB setup.
Well what do you know... SNX works 🙄

Now for some stability testing 😏 since the DEV domain was rather new, only thing I also tried was getting Azure user groups to work in MAB.
That didn't work obviously 😁
(maybe that corrupted the mab snx config in some way)