Solved: Identity Awareness using Azure AD

adamhi · ‎2020-05-12

Hi,

Possibly a daft question, but can anyone confirm if IA works against Azure AD as opposed to 'normal' AD? This is for an org that won't have any on prem AD at the end of the implementation.

I've had a look through the deployment guide for the version we would be implementing but it doesn't specifically mention Azure as being OK and I understand from our cloud architects that it's a bit different to AD as I know it.

Thanks in advance.

A.

Royi_Priov · ‎2020-05-12

Hi @adamhi ,

In R80.40, you can use SAML integration with AzureAD for authentication and autorization.

However, in the IDA picker (when you create access roles), you will need to represent the AzureAD objects (users/machines/groups) manually as "Identity Tag" objects.

In R81, the integration of AzureAD in IDA picker will be available, where you can create your AzureAD object and select the objects from AAD same way as you do it on regular AD.

It will be available for EA via R81 EA program. Please contact your local SE for more details.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

View solution in original post

PhoneBoy · ‎2020-05-12

@Royi_Priov this is still in EA, right?

Royi_Priov · ‎2020-05-12

Hi @adamhi ,

In R80.40, you can use SAML integration with AzureAD for authentication and autorization.

However, in the IDA picker (when you create access roles), you will need to represent the AzureAD objects (users/machines/groups) manually as "Identity Tag" objects.

In R81, the integration of AzureAD in IDA picker will be available, where you can create your AzureAD object and select the objects from AAD same way as you do it on regular AD.

It will be available for EA via R81 EA program. Please contact your local SE for more details.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

View solution in original post

adamhi · ‎2020-05-13

Thanks gents, much appreciated.

This isn't going to be needed until Q2 2021, so I'm not sure we need to look into EA. I'll let the hierarchy know that it is feasible given current tech stack.

A

Royi_Priov · ‎2020-05-14

Hi @adamhi , by that time you will be able to use the GA of this feature (as part of R81).

Good luck 🙂

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

Martins · ‎2020-08-03

Hi, just the manager needs to use the R80.40 to work with SAML? Or the gateways too?
Thanks!

PhoneBoy · ‎2020-08-03

This requires R80.40+ gateways.

Royi_Priov · ‎2020-08-04

Hi @Martins

I will clarify:

In R80.40 we have added SAML support to IDA captive portal. it means we can use AAD as SAML Identity Provider.
in R81 we have added AzureAD as user directory, which means you can configure entities (users/group/machines) from AAD in Identity Awareness Access Roles objects.

Both features requires both SmartCenter and GW to be in this version.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

Martins · ‎2020-08-04

Hi @Royi_Priov ,
Thank you for clarify.
Can I use SAML with 3rd party (MFA) as a Identity provider to autenticate the VPN ?

Thanks.

PhoneBoy · ‎2020-08-04

VPN clients currently do not support SAML authentication.
This is planned for a later release.

Paul_Grigg · ‎2020-10-25

R81 IDA admin guide has two videos regarding SAML and Azure AD configuration. (The SAML video was available in R80.40 admin guide.)

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

AntoF

@Royi_Priov - I went through the R81 Identity Awareness admin guide and watched the videos. It shows that it SAML is supported for Captive Portal. Will this also work for the Endpoint Security VPN clients?

PhoneBoy

Just answered this in a different thread where you asked the same question: coming soon.