This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aaron_Zelechow
Participant
13 hours ago

Remote access VPN Saml Authentication with group authorization - Entra ID

Hello All,

I have setup Remote access saml authentincation via Entra-ID on a cluster of 9200 gateways running R81.20.

The users are able to authenticate using Saml authentication with no issue.

For one resource that they need to access, I needed to allow only a group of users access the resource. I created the group and using the group.attrib claim in entra-id application I send the relevant group information to the gateways. I then created a rule which allows only that group to access the resource. The group in the gateway is an empty group EXT_ID_The-ID-number-of-the-group-in-Entra. For most users this works fine. But, there are some users who it stops working for suddenly, and it is not clear to me what has changed.  I can add users in entra-id to the group and they then can access the resource. But for the users, who is has stopped working for, they go directly to the cleanup rule. I see in pdp that the users have the relevant group id's in there groups field. It as if for these specific users, the matching isn't being performed. I have created a new group and added users to it to see if that can fix the problem, but for those workers that is has stopped working for it makes no difference, and for those workers who it is working for ,it continues to work in the new group as well. 

 

Any ideas on how to proceed? what to check?

0 Kudos
3 Replies
simonemantovani
MVP Gold
MVP Gold
12 hours ago

Hello

just to better understand, there are some users that are correctly authenticated and also authorized, they are able to access internal resource, and at some point they stop to access resources? Am I right?

When I configure SAML I usually create the EXT_ID groups, but I'm setting the group name and not the ID number after EXT_ID prefix.

In case could you post some logs about action:"Log In" for a user with the issue, and some traffic log as example?

0 Kudos
Aaron_Zelechow
Participant
12 hours ago
In response to simonemantovani

Hi, That is correct they are members a specific group which is authorized to have access to a resource, beyond what all the other users are allowed to access. From my understanding of configuring with entra-id - I need to use the group id identifier not the group name after the EXT_ID prefix, and from what I can see, that is what checkpoint is receiving in the SAML token. 

Attached is a screenshoot of the login of a user who is experiencing the issue as well as the log showing him being sent to the cleanup rule for the specific resource. You can see that he is part of a group within the log with the EXT_ID prefix. That is the id of the group with the extra authorization, This worked well for him until 2 days ago when it stopped. There are a couple of other users this has happened to over the last couple of days

Preview file
175 KB
Preview file
182 KB
0 Kudos
simonemantovani
MVP Gold
MVP Gold
11 hours ago
In response to Aaron_Zelechow

I suppose you created the EXT_ID group empty as requested by Check Point, and used that group in an Access Role, right?

Could you post the output of this command: pep show user query usr <vpn username>

THanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events