Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ave_Joe
Collaborator

Identity Awareness with EntraID roles and policy enforcement

I have a requirement to evaluate moving Identity Awareness (IA) from a traditional on-premises Active Directory implementation to an IdP setup using EntraID. I’ve tested the IdP creation process and successfully configured the gateway to use EntraID SAML SSO for the Captive Portal. However, I’ve encountered an issue where any rules referencing roles based on EntraID groups fail to match.

It appears that the gateway is not retrieving EntraID group membership when a user authenticates. I’ve reviewed the Identity Awareness configuration guide multiple times, but something seems to be missing in the process to enforce policies based on IdP roles.

Use Case Example:

  • Group Setup: In EntraID, there is a group named Internet_Access. Users in this group should have full Internet access, while users not in the group should be restricted to accessing white-listed sites.
  • Rule Setup: I created a rule that uses a role based on the EntraID group Internet_Access. However, users are not matching the rule.
  • Issue Observed: In the log entries for Identity Awareness Successful Login, the Source User Group and Roles fields do not show any entries for EntraID groups.

It seems like simply following the "Using Azure AD for Authorization" section in the IA admin guide does not achieve the desired outcome.

Request for Guidance:

Has anyone successfully configured policy enforcement using IdP-based roles with EntraID? Are there any additional steps, settings, or troubleshooting methods that might resolve this issue?

For reference, I’ve opened a TAC case to have the configuration reviewed, but I wanted to check here to see if anyone else has encountered and resolved a similar issue.

Thank you in advance for your assistance!

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Have you created the relevant EXT_ID_ groups on the Check Point side?
For example, there should be EXT_ID_Internet_Access. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events