This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
j_silva
Contributor
yesterday

VPN Remote Access - MFA with SAML and Google Cloud as Identity Provider

Good morning everyone,

I am helping to implement two-factor authentication between Check Point and Google using SAML for Remote Access VPN connections. The Identity Provider settings are configured correctly and the client can successfully connect to the VPN. However, I cannot see the groups that the user belongs to and therefore I cannot create rules based on user groups. I followed this documentation -> https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... (Step 6: Configure the Group Authorization), however, I cannot handle access by groups.
Do any of you have any experience with this type of implementation that you could share?

0 Kudos
4 Replies
AkosBakos
Leader Leader
Leader
yesterday

Hi,

If I understood correcly, you have to create manually with EXT_ID_ prefix.

if your grp attribute is "akos", then you need to create an user group with EXT_ID_akos name:

2025-01-08 13_10_11-Cloud Demo Server [ID_726223510]-R81.20-SmartConsole.png

 

  1. In SmartConsole, create an internal User Group object with this name (case-sensitive, spaces not supported):

    EXT_ID_<Name_of_Role>

    For example, for a role in the Identity Provider's interface with the name my_group, create an internal User Group object in SmartConsole with the name EXT_ID_my_group.

    AkosBakos_0-1736338190637.png

     

    Note - In Microsoft AzureIdentity Tags are not supported for Remote Access connections.

 

I hope it helps

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
j_silva
Contributor
yesterday
In response to AkosBakos

Thank you very much,

Can you tell me where I can correctly configure the groups parameter in Google Cloud?

I have already tried to do this configuration. I will validate it again and report the results.

0 Kudos
AkosBakos
Leader Leader
Leader
yesterday
In response to j_silva

Hi,

I am not familiar with Google Cloud, maybe the Legends will help 🙂

Have you asked the ChatGPT already?

Ákos

----------------
\m/_(>_<)_\m/
0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to j_silva

The relevant groups must be passed as part of the SAML assertion.
In Google Cloud, it looks like you configure this here: https://cloud.google.com/iap/docs/saml-attribute-propagation 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events