Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jfernandezm
Participant

VPN Login SAML + local fw login + AD

Hi! We had implemented Checkpoint firewalls with VPN Connections. Recently we implement SAML with AzureAD to secure the VPN Logins without technical issues, its working properly, but we had a issue : If the users change the Login options to user/password, this options works for local logins on Checkpoint and AD.

We need to work only with local fw login and SAML to the users, I understand the AD integration had to be implemented because this is part of the SAML integration, but i don't want to work this to the users to use user+password direct, because this mantains the vulnerability of use this login option.

Another thing I don't mentioned, I can't use ONLY azureAD, because had third part connections than use local login on checkpoint, so I had to mantain this option because had only Azure Users cost much money.

 

Please if you can show me an option to use only SAML to users, and the option User+PASS only works to local login FW, no AD.

Thanks Checkmates!

0 Kudos
7 Replies
_Val_
Admin
Admin

Is it the case when the same user exists in both on-prem and Azure AD?

0 Kudos
jfernandezm
Participant

Yes Val, because the AD is synced with AzureAD, so the accounts was the same.

0 Kudos
_Val_
Admin
Admin

I think this is the issue then. LDAP is checked before Azure, and since the accounts are there, it returns the authentication. See if you can set up your VPN in a way AD is not queried.

0 Kudos
jfernandezm
Participant

Yes, the implementing company is reviewing the configuration to dispense with the local AD. We check and the FW cfg is at 80.40 take 156

0 Kudos
PhoneBoy
Admin
Admin

Users that are authenticating with AzureAD can get group information from Graph API (R81 and above).
Third party users not in AzureAD would obviously need to get their information from a different source (LDAP).

The LDAP portion of the configuration will need to include only the precise branch that includes ONLY your third party users, not the entire AD tree.
Depending on how many third party users are involved, it might be better to locally define each one. 

0 Kudos
jfernandezm
Participant

Hi!!! The third parties only connect with user+pass from checkpoint local login, no need to acces to LDAP login. In the other side the corporative users is needed to use only AzureAD, no LDAP login, otherwise the implementation of SAML AzureAD is useless.

 

Thanks for your help

0 Kudos
PhoneBoy
Admin
Admin

Ok, I'm confused.
If you're using Azure AD (which doesn't require LDAP) for your corporate users and locally defined users for your third party users, how are your Azure AD users just authenticating with username/password without going through the SAML dance?

Do you have an LDAP Account Unit defined?
I imagine you might need that for Identity Awareness.
What authentication methods do you have configured as supported on the relevant gateway object?

Screenshots of everything you've attempted to configure related to this would be exceptionally helpful.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events