Thanks gents, much appreciated.

This isn't going to be needed until Q2 2021, so I'm not sure we need to look into EA. I'll let the hierarchy know that it is feasible given current tech stack.

A

Hi @adamhi , by that time you will be able to use the GA of this feature (as part of R81).

Good luck 🙂

Hi, just the manager needs to use the R80.40 to work with SAML? Or the gateways too?
Thanks!

This requires R80.40+ gateways.

Hi @Martins 

I will clarify:

• In R80.40 we have added SAML support to IDA captive portal. it means we can use AAD as SAML Identity Provider. 
• in R81 we have added AzureAD as user directory, which means you can configure entities (users/group/machines) from AAD in Identity Awareness Access Roles objects.

Both features requires both SmartCenter and GW to be in this version.

Hi @Royi_Priov ,
Thank you for clarify.
Can I use SAML with 3rd party (MFA) as a Identity provider to autenticate the VPN ?

Thanks.

VPN clients currently do not support SAML authentication.
This is planned for a later release. 

R81 IDA admin guide has two videos regarding SAML and Azure AD configuration. (The SAML video was available in R80.40 admin guide.)

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

@Royi_Priov - I went through the R81 Identity Awareness admin guide and watched the videos. It shows that it SAML is supported for Captive Portal. Will this also work for the Endpoint Security VPN clients?

Just answered this in a different thread where you asked the same question: coming soon.

Hello !

I am trying to add my azure datacenter to checkpoint but the below message occurs: 

Seems that checkpoint cannot establish a connection to azure. Yes i have create a custom app to azure.

Please help. I want to have IDA from Checkpoint to Azure AD.

Thank you

So…what does it say when you click for details?

In which way checkpoint contacts azure?

Do i have to set a policy for this communication?

I would assume so, yes.
It would be coming from your management in this case, I assume on port 443, to the relevant API endpoint in Azure.

You mean the secure management server as a source and destination port 443 to where? can u make an example please?

I have already a rule from sms to everywhere.

The traffic for specific node to azure is allowed and from the management server to internet. I don't understand why this connection fails.

Please help

Recommend a TAC case here unless @Royi_Priov has other suggestions.

fyi Vsec is on. I delete the application from the azure and reinstall it many times. The Azure application id, tenant and secret is 100% percent right. The node has access to azure services, the sms has access everywhere. I am on 80.40 with the latest hotfix. I ve spent many hours on this with no result.

the connection is not establishing either with spn or azure ad user authentication. 

I am 100% sure something blocking the connection from chekpoint side. Node and SMS are totally allowed for internet access.

Any ideas? how can i debug this connection?

thanx

Hi,

Usually such messages indicate on a connectivity issue from the Management to Azure AD. Are you working with a Proxy server? If so please verify it is configured also on the Management (GAIA Web UI > Proxy). In case of FQDN or no proxy configuration make sure DNS is configured. If you are positive there is no connectivity issue and there is a connectivity from the MGMT to the proxy/DNS server, please open a ticket in Support to collect debugs and further investigation.

Thanks,

Adi

I just found the solution. Thank you all.

As I Said i am on 80.40 and need help how to pick users and groups from azure active directory? Identity Tags? can you give me an example...?

You have to manually define Identity Tags in R80.40 that match the existing Azure AD groups.
In R81, we can fetch the groups from Azure AD.

You mean I have to create an access role and instead of group i ll add an identity tag that has object identifier of an azure ad group?

Hi @Netadmin2020 ,

I'm a bit confused. You have pasted a print screen from AzureAD object which was added to R81, but you are now stating you are using R80.40. Can you please explain?

The AzureAD object is used for users and groups auto fetch from the AzureAD directory and placing them in the Access Role object.

The Identity Provider object is used for SAML authentication flows (in R80.40 - IDA captive portal and Mobile Access portal, in the near future also RA VPN client and IDA agents).

If you are running R80.40, only the Identity provider object is needed, and the groups should be created manually as Identity Tag objects.

@Royi_Priov 

Thanx for the reply. The version is 80.40 with the latest hotfixes. The Azure AD object (i mean the connector) exists, i have fill my azure application info and the connection is ok.That part is for authorization right?  Ok I tried to create a new access role but in the 80.40 it cant "See" the azure ad.

a) So a non ldap user with a device and user from AZURE Active Directory will be identified?

b) With identity tags? how can i create an access role that it will identity an Azure ad object? With object identifier of the specific (for example) Azure AD user?

c) A Policy needed here with source group the non lap access role and the azure identity tag inside?

Hi @Netadmin2020 

I understand the problem. There are 2 almost identical objects in SmartConsole: "Microsoft Azure" - used for CloudGuard (aka vsec) and "AzureAD" for Identity Awraeness, which was added in R81.

See that my headline is different:

So, there are 2 options using AzureAD:

1. Stay in R80.40, configure Identity Provider object for AzureAD and authenticate users with SAML in IDA captive portal. In Access Role, you will need to use Identity Tag.

2. Upgrade both SmartCenter and GW to R81 and in addition to the Identity Provider object, configure AzureAD object for Access Role usage

For some reason the first picture isn't shown, so I'm posting it again.