Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion
Jump to solution

Identity Awareness - Multiple Identity Sources AD + AzureAD

Is it possible to use multiple identity sources to authenticate users with identity awareness?
Background to this question!


All users should be authenticated using the local AD and a firewall rule should be allowed accordingly.
If the user cannot be found in the local AD, the Azure AD (Entra ID) should be checked to see whether the user can be found there.
In this case, an AzureAD rule should also be activated for the affected user.

Is it possible to have multiple identity sources (AD + AzureAD) with IA at the same time?

If so, is there a PDF or a SK with a sample configuration?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

With Local AD:

  • Identities are acquired from local AD via Identity Collector and/or Identity Agents
  • Gateways will calculate Access Roles via LDAP lookup to AD Server

With Entra ID:

  • Users must be authenticated via Captive Portal on the gateway
  • Groups are read as part of the SAML Assertion returned from Microsoft

It is not technically possible to have one "fail over" for the other.
However, you should be able to leverage both Identity Sources provided you configure the Access Roles correctly.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

With Local AD:

  • Identities are acquired from local AD via Identity Collector and/or Identity Agents
  • Gateways will calculate Access Roles via LDAP lookup to AD Server

With Entra ID:

  • Users must be authenticated via Captive Portal on the gateway
  • Groups are read as part of the SAML Assertion returned from Microsoft

It is not technically possible to have one "fail over" for the other.
However, you should be able to leverage both Identity Sources provided you configure the Access Roles correctly.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

That's what I thought. Thanks @PhoneBoy for the answer.

CUT>>>
It is not technically possible to have one "fail over" for the other.
However, you should be able to leverage both Identity Sources provided you configure the Access Roles correctly.
<<<CUT

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events