This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ave_Joe
Collaborator
yesterday

Identity Awareness with EntraID roles and policy enforcement

I have a requirement to evaluate moving Identity Awareness (IA) from a traditional on-premises Active Directory implementation to an IdP setup using EntraID. I’ve tested the IdP creation process and successfully configured the gateway to use EntraID SAML SSO for the Captive Portal. However, I’ve encountered an issue where any rules referencing roles based on EntraID groups fail to match.

It appears that the gateway is not retrieving EntraID group membership when a user authenticates. I’ve reviewed the Identity Awareness configuration guide multiple times, but something seems to be missing in the process to enforce policies based on IdP roles.

Use Case Example:

  • Group Setup: In EntraID, there is a group named Internet_Access. Users in this group should have full Internet access, while users not in the group should be restricted to accessing white-listed sites.
  • Rule Setup: I created a rule that uses a role based on the EntraID group Internet_Access. However, users are not matching the rule.
  • Issue Observed: In the log entries for Identity Awareness Successful Login, the Source User Group and Roles fields do not show any entries for EntraID groups.

It seems like simply following the "Using Azure AD for Authorization" section in the IA admin guide does not achieve the desired outcome.

Request for Guidance:

Has anyone successfully configured policy enforcement using IdP-based roles with EntraID? Are there any additional steps, settings, or troubleshooting methods that might resolve this issue?

For reference, I’ve opened a TAC case to have the configuration reviewed, but I wanted to check here to see if anyone else has encountered and resolved a similar issue.

Thank you in advance for your assistance!

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
2 hours ago

Have you created the relevant EXT_ID_ groups on the Check Point side?
For example, there should be EXT_ID_Internet_Access. 

0 Kudos
Ave_Joe
Collaborator
47m ago
In response to PhoneBoy

Hello PhoneBoy.

That must be the missing step in the process. Is there any documentation or a SecureKnowledge (SK) article that specifically covers this aspect from an Identity Awareness/Captive Portal perspective? I haven’t been able to find anything relevant so far.

The Identity Awareness Administration Guide provides details on how to create the IdP, but it doesn’t include sufficient information on how to use the IdP in policy enforcement. Perhaps this information is covered in a different document?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
34m ago
In response to Ave_Joe

It would help to know what documentation you've followed so far and what you've configured to try and associate the Entra ID groups.
The need for EXT_ID_ groups are documented here (among other places): https://support.checkpoint.com/results/sk/sk177267 
It says Remote Access, but it certainly won't hurt even if RA isn't involved.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events