This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ave_Joe
Collaborator
‎2025-01-16 02:05 PM

Identity Awareness with EntraID roles and policy enforcement

I have a requirement to evaluate moving Identity Awareness (IA) from a traditional on-premises Active Directory implementation to an IdP setup using EntraID. I’ve tested the IdP creation process and successfully configured the gateway to use EntraID SAML SSO for the Captive Portal. However, I’ve encountered an issue where any rules referencing roles based on EntraID groups fail to match.

It appears that the gateway is not retrieving EntraID group membership when a user authenticates. I’ve reviewed the Identity Awareness configuration guide multiple times, but something seems to be missing in the process to enforce policies based on IdP roles.

Use Case Example:

  • Group Setup: In EntraID, there is a group named Internet_Access. Users in this group should have full Internet access, while users not in the group should be restricted to accessing white-listed sites.
  • Rule Setup: I created a rule that uses a role based on the EntraID group Internet_Access. However, users are not matching the rule.
  • Issue Observed: In the log entries for Identity Awareness Successful Login, the Source User Group and Roles fields do not show any entries for EntraID groups.

It seems like simply following the "Using Azure AD for Authorization" section in the IA admin guide does not achieve the desired outcome.

Request for Guidance:

Has anyone successfully configured policy enforcement using IdP-based roles with EntraID? Are there any additional steps, settings, or troubleshooting methods that might resolve this issue?

For reference, I’ve opened a TAC case to have the configuration reviewed, but I wanted to check here to see if anyone else has encountered and resolved a similar issue.

Thank you in advance for your assistance!

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2025-01-17 06:51 AM

Have you created the relevant EXT_ID_ groups on the Check Point side?
For example, there should be EXT_ID_Internet_Access. 

0 Kudos
Ave_Joe
Collaborator
‎2025-01-17 07:50 AM
In response to PhoneBoy

Hello PhoneBoy.

That must be the missing step in the process. Is there any documentation or a SecureKnowledge (SK) article that specifically covers this aspect from an Identity Awareness/Captive Portal perspective? I haven’t been able to find anything relevant so far.

The Identity Awareness Administration Guide provides details on how to create the IdP, but it doesn’t include sufficient information on how to use the IdP in policy enforcement. Perhaps this information is covered in a different document?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-17 08:02 AM
In response to Ave_Joe

It would help to know what documentation you've followed so far and what you've configured to try and associate the Entra ID groups.
The need for EXT_ID_ groups are documented here (among other places): https://support.checkpoint.com/results/sk/sk177267 
It says Remote Access, but it certainly won't hurt even if RA isn't involved.

0 Kudos
Ave_Joe
Collaborator
‎2025-01-17 09:52 AM
In response to PhoneBoy

I will take a look at that SK.

Here is the link to the Identity Awareness doc that I was following.

Using Azure AD for Authorization

Cheers!

0 Kudos
Ave_Joe
Collaborator
‎2025-01-20 06:24 AM
In response to PhoneBoy

Over the weekend I went through the video "Using Azure AD for Authorization" again. I cleared out all that was done previously and started over.  The video does not mention anything about the process of using EXT_ID_.  It demonstrates that you simply choose the EntraID group in the picker as the Source and turn on the Captive Portal option in the Accept action column.

After following the video my test user can authenticate to the Captive Portal using the IdP but can not access the Internet.  The user does not match the rule that references the EntraID group.

srcdstaction
Internet Access Group (EntraID object)InternetAccept with Captive Portal option selected

 

When the test user authenticates to the Captive Portal I don't see any roles in the log entry that matches AzureAD groups.

Prior to redoing everything I did look at  SK177267 and ran some tests but that did not work either.

Hopefully working with the TAC will get it sorted.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-20 01:35 PM
In response to Ave_Joe

I assume "Internet Access Group" is actually an Access Role object?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events