This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
Tuesday
Jump to solution

Identity Awareness - Multiple Identity Sources AD + AzureAD

Is it possible to use multiple identity sources to authenticate users with identity awareness?
Background to this question!


All users should be authenticated using the local AD and a firewall rule should be allowed accordingly.
If the user cannot be found in the local AD, the Azure AD (Entra ID) should be checked to see whether the user can be found there.
In this case, an AzureAD rule should also be activated for the affected user.

Is it possible to have multiple identity sources (AD + AzureAD) with IA at the same time?

If so, is there a PDF or a SK with a sample configuration?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Tuesday
Jump to solution

With Local AD:

  • Identities are acquired from local AD via Identity Collector and/or Identity Agents
  • Gateways will calculate Access Roles via LDAP lookup to AD Server

With Entra ID:

  • Users must be authenticated via Captive Portal on the gateway
  • Groups are read as part of the SAML Assertion returned from Microsoft

It is not technically possible to have one "fail over" for the other.
However, you should be able to leverage both Identity Sources provided you configure the Access Roles correctly.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
Tuesday
Jump to solution

With Local AD:

  • Identities are acquired from local AD via Identity Collector and/or Identity Agents
  • Gateways will calculate Access Roles via LDAP lookup to AD Server

With Entra ID:

  • Users must be authenticated via Captive Portal on the gateway
  • Groups are read as part of the SAML Assertion returned from Microsoft

It is not technically possible to have one "fail over" for the other.
However, you should be able to leverage both Identity Sources provided you configure the Access Roles correctly.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
yesterday
In response to PhoneBoy
Jump to solution

That's what I thought. Thanks @PhoneBoy for the answer.

CUT>>>
It is not technically possible to have one "fail over" for the other.
However, you should be able to leverage both Identity Sources provided you configure the Access Roles correctly.
<<<CUT

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events