This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
j_silva
Contributor
‎2025-01-08 03:45 AM

VPN Remote Access - MFA with SAML and Google Cloud as Identity Provider

Good morning everyone,

I am helping to implement two-factor authentication between Check Point and Google using SAML for Remote Access VPN connections. The Identity Provider settings are configured correctly and the client can successfully connect to the VPN. However, I cannot see the groups that the user belongs to and therefore I cannot create rules based on user groups. I followed this documentation -> https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... (Step 6: Configure the Group Authorization), however, I cannot handle access by groups.
Do any of you have any experience with this type of implementation that you could share?

0 Kudos
6 Replies
AkosBakos
Mentor Mentor
Mentor
‎2025-01-08 04:11 AM

Hi,

If I understood correcly, you have to create manually with EXT_ID_ prefix.

if your grp attribute is "akos", then you need to create an user group with EXT_ID_akos name:

2025-01-08 13_10_11-Cloud Demo Server [ID_726223510]-R81.20-SmartConsole.png

 

  1. In SmartConsole, create an internal User Group object with this name (case-sensitive, spaces not supported):

    EXT_ID_<Name_of_Role>

    For example, for a role in the Identity Provider's interface with the name my_group, create an internal User Group object in SmartConsole with the name EXT_ID_my_group.

    AkosBakos_0-1736338190637.png

     

    Note - In Microsoft AzureIdentity Tags are not supported for Remote Access connections.

 

I hope it helps

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
j_silva
Contributor
‎2025-01-08 04:16 AM
In response to AkosBakos

Thank you very much,

Can you tell me where I can correctly configure the groups parameter in Google Cloud?

I have already tried to do this configuration. I will validate it again and report the results.

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-01-08 04:22 AM
In response to j_silva

Hi,

I am not familiar with Google Cloud, maybe the Legends will help 🙂

Have you asked the ChatGPT already?

Ákos

----------------
\m/_(>_<)_\m/
0 Kudos
j_silva
Contributor
‎2025-01-10 04:25 AM
In response to AkosBakos

Hi @AkosBakos 

I have tried to find out this information on ChatGPT but it wasn´t clear for me. Yesterday i had a meeting with TAC e some debugs was collected.

I´ll waiting for the results of analysis and i update this chat as soon as possible.

Thank you.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-08 06:46 PM
In response to j_silva

The relevant groups must be passed as part of the SAML assertion.
In Google Cloud, it looks like you configure this here: https://cloud.google.com/iap/docs/saml-attribute-propagation 

0 Kudos
j_silva
Contributor
‎2025-01-10 04:26 AM
In response to PhoneBoy

Hi @PhoneBoy 

Thanks for documentation. I´ll forward to the customer because i don´t have access on Google plataform.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top