Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
adamhi
Explorer

Identity Awareness using Azure AD

Jump to solution

Hi,

Possibly a daft question, but can anyone confirm if IA works against Azure AD as opposed to 'normal' AD? This is for an org that won't have any on prem AD at the end of the implementation.

I've had a look through the deployment guide for the version we would be implementing but it doesn't specifically mention Azure as being OK and I understand from our cloud architects that it's a bit different to AD as I know it.

Thanks in advance.

A.

1 Solution

Accepted Solutions
Royi_Priov
Employee
Employee

Hi @adamhi ,

 

In R80.40, you can use SAML integration with AzureAD for authentication and autorization.

However, in the IDA picker (when you create access roles), you will need to represent the AzureAD objects (users/machines/groups) manually as "Identity Tag" objects.

In R81, the integration of AzureAD in IDA picker will be available, where you can create your AzureAD object and select the objects from AAD same way as you do it on regular AD.

It will be available for EA via R81 EA program. Please contact your local SE for more details.

 

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

View solution in original post

0 Kudos
33 Replies
PhoneBoy
Admin
Admin

@Royi_Priov this is still in EA, right?

0 Kudos
Royi_Priov
Employee
Employee

Hi @adamhi ,

 

In R80.40, you can use SAML integration with AzureAD for authentication and autorization.

However, in the IDA picker (when you create access roles), you will need to represent the AzureAD objects (users/machines/groups) manually as "Identity Tag" objects.

In R81, the integration of AzureAD in IDA picker will be available, where you can create your AzureAD object and select the objects from AAD same way as you do it on regular AD.

It will be available for EA via R81 EA program. Please contact your local SE for more details.

 

Thanks,
Royi Priov
Group manager, Identity Awareness R&D

View solution in original post

0 Kudos
adamhi
Explorer

Thanks gents, much appreciated.

This isn't going to be needed until Q2 2021, so I'm not sure we need to look into EA. I'll let the hierarchy know that it is feasible given current tech stack.

A

0 Kudos
Royi_Priov
Employee
Employee

Hi @adamhi , by that time you will be able to use the GA of this feature (as part of R81).

Good luck 🙂

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Martins
Contributor

Hi, just the manager needs to use the R80.40 to work with SAML? Or the gateways too?
Thanks!

0 Kudos
PhoneBoy
Admin
Admin

This requires R80.40+ gateways.

0 Kudos
Royi_Priov
Employee
Employee

Hi @Martins 

I will clarify:

  • In R80.40 we have added SAML support to IDA captive portal. it means we can use AAD as SAML Identity Provider. 
  • in R81 we have added AzureAD as user directory, which means you can configure entities (users/group/machines) from AAD in Identity Awareness Access Roles objects.

 

Both features requires both SmartCenter and GW to be in this version.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Martins
Contributor

Hi @Royi_Priov ,
Thank you for clarify.
Can I use SAML with 3rd party (MFA) as a Identity provider to autenticate the VPN ?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

VPN clients currently do not support SAML authentication.
This is planned for a later release. 

Paul_Grigg
Employee
Employee

R81 IDA admin guide has two videos regarding SAML and Azure AD configuration. (The SAML video was available in R80.40 admin guide.)

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

 

0 Kudos
AntoF
Explorer

@Royi_Priov - I went through the R81 Identity Awareness admin guide and watched the videos. It shows that it SAML is supported for Captive Portal. Will this also work for the Endpoint Security VPN clients?

0 Kudos
PhoneBoy
Admin
Admin

Just answered this in a different thread where you asked the same question: coming soon.

0 Kudos
Netadmin2020
Contributor

Hello !

I am trying to add my azure datacenter to checkpoint but the below message occurs: 

AZURE.JPG

 

 

Seems that checkpoint cannot establish a connection to azure. Yes i have create a custom app to azure.

Please help. I want to have IDA from Checkpoint to Azure AD.

Thank you

0 Kudos
PhoneBoy
Admin
Admin

So…what does it say when you click for details?

Netadmin2020
Contributor

sa.JPG

In which way checkpoint contacts azure?

Do i have to set a policy for this communication?

0 Kudos
PhoneBoy
Admin
Admin

I would assume so, yes.
It would be coming from your management in this case, I assume on port 443, to the relevant API endpoint in Azure.

0 Kudos
Netadmin2020
Contributor

You mean the secure management server as a source and destination port 443 to where? can u make an example please?

I have already a rule from sms to everywhere.

0 Kudos
Netadmin2020
Contributor

The traffic for specific node to azure is allowed and from the management server to internet. I don't understand why this connection fails.

Please help

0 Kudos
PhoneBoy
Admin
Admin

Recommend a TAC case here unless @Royi_Priov has other suggestions.

Netadmin2020
Contributor

fyi Vsec is on. I delete the application from the azure and reinstall it many times. The Azure application id, tenant and secret is 100% percent right. The node has access to azure services, the sms has access everywhere. I am on 80.40 with the latest hotfix. I ve spent many hours on this with no result.

0 Kudos
Netadmin2020
Contributor

the connection is not establishing either with spn or azure ad user authentication. 

 

az.JPG

 

I am 100% sure something blocking the connection from chekpoint side. Node and SMS are totally allowed for internet access.

Any ideas? how can i debug this connection?

thanx

0 Kudos
Adi_Babai
Employee
Employee

Hi,

Usually such messages indicate on a connectivity issue from the Management to Azure AD. Are you working with a Proxy server? If so please verify it is configured also on the Management (GAIA Web UI > Proxy). In case of FQDN or no proxy configuration make sure DNS is configured. If you are positive there is no connectivity issue and there is a connectivity from the MGMT to the proxy/DNS server, please open a ticket in Support to collect debugs and further investigation.

 

 

Thanks,

Adi

 

0 Kudos
Netadmin2020
Contributor

I just found the solution. Thank you all.

As I Said i am on 80.40 and need help how to pick users and groups from azure active directory? Identity Tags? can you give me an example...?

0 Kudos
PhoneBoy
Admin
Admin

You have to manually define Identity Tags in R80.40 that match the existing Azure AD groups.
In R81, we can fetch the groups from Azure AD.

Netadmin2020
Contributor

You mean I have to create an access role and instead of group i ll add an identity tag that has object identifier of an azure ad group?

 

0 Kudos
Royi_Priov
Employee
Employee

Hi @Netadmin2020 ,

I'm a bit confused. You have pasted a print screen from AzureAD object which was added to R81, but you are now stating you are using R80.40. Can you please explain?

The AzureAD object is used for users and groups auto fetch from the AzureAD directory and placing them in the Access Role object.

The Identity Provider object is used for SAML authentication flows (in R80.40 - IDA captive portal and Mobile Access portal, in the near future also RA VPN client and IDA agents).

If you are running R80.40, only the Identity provider object is needed, and the groups should be created manually as Identity Tag objects.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Netadmin2020
Contributor

@Royi_Priov 

Thanx for the reply. The version is 80.40 with the latest hotfixes. The Azure AD object (i mean the connector) exists, i have fill my azure application info and the connection is ok.That part is for authorization right?  Ok I tried to create a new access role but in the 80.40 it cant "See" the azure ad.

azure1.png

 

a) So a non ldap user with a device and user from AZURE Active Directory will be identified?

b) With identity tags? how can i create an access role that it will identity an Azure ad object? With object identifier of the specific (for example) Azure AD user?

c) A Policy needed here with source group the non lap access role and the azure identity tag inside?

 

 

0 Kudos
Royi_Priov
Employee
Employee

Hi @Netadmin2020 

I understand the problem. There are 2 almost identical objects in SmartConsole: "Microsoft Azure" - used for CloudGuard (aka vsec) and "AzureAD" for Identity Awraeness, which was added in R81.

See that my headline is different:

 

 

So, there are 2 options using AzureAD:

1. Stay in R80.40, configure Identity Provider object for AzureAD and authenticate users with SAML in IDA captive portal. In Access Role, you will need to use Identity Tag.

2. Upgrade both SmartCenter and GW to R81 and in addition to the Identity Provider object, configure AzureAD object for Access Role usage

{B2A94BAC-D78E-4D6B-A66C-9E51A606D90B}.png.jpg

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
Royi_Priov
Employee
Employee

For some reason the first picture isn't shown, so I'm posting it again.

{71E74939-A06D-40FE-A42C-90DE50B7FAEF}.png.jpg

Thanks,
Royi Priov
Group manager, Identity Awareness R&D