Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex2023
Participant

R81.20 JHF 89 SAML Forced Re-authentication

Hi all,

Has anyone figured out how to enable this function: Identity Awareness(SAML): Forced Re-authentication, which requires mandatory login for each session?

Previously, I followed the instructions described in sk180948.

 

Best regards,

Alex

0 Kudos
21 Replies
the_rock
Legend
Legend

Im fairly positive there is a feature on Azure portal you need to enable to make this work. Let me talk to one of my coleagues, Im sure he will know what it is.

Andy

0 Kudos
the_rock
Legend
Legend

0 Kudos
Alex2023
Participant

Hi @the_rock ,

thank you for your message. I set up the Azure authorization according to that guide, and everything is working perfectly. However, I can’t find a function in Azure that would enforce authentication each time a client connects.

I used sk180948 to implement persistent authentication. I was hoping there might now be an option in Check Point to handle this without manually editing the config file.

Alex

 

0 Kudos
Alex2023
Participant

This option likely pertains to Conditional Access Policies in Office365. See more here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#require...

the_rock
Legend
Legend

Yep, thats it!

Andy

0 Kudos
Alex2023
Participant

Hi @the_rock ,

Simply activating this function in the Conditional Policy didn’t change anything. The MS documentation includes the following: 'Sign-in frequency set to every time works best when the resource has the logic of when a client should get a new token.'

It seems to me that some configuration change might also be needed on the Check Point side. Is there anyone we could ask about this?

 

Alex

0 Kudos
the_rock
Legend
Legend

Thats the same link my collegue sent me as well, sorry. Im not aware of anything else. Maybe you can double check with TAC or lets see if someone else may know.

Andy

0 Kudos
Alex2023
Participant

After a few hours, it started working better. Authentication is requested if the last session was more than 5 minutes ago.

0 Kudos
the_rock
Legend
Legend

Maybe just took some time...

Alex2023
Participant

Agreed, Microsoft always requires some time.

0 Kudos
the_rock
Legend
Legend

I wish that were only true for Microsoft lol

Anyway, is it working for all users now?

Andy

0 Kudos
Alex2023
Participant

Yes, this works for everyone who falls under this Conditional Policy.

Alex

0 Kudos
PhoneBoy
Admin
Admin

I diffed the relevant file in R81.20 JHF 89 versus a fresh install of R81.20.
There is one line added to the file that didn't exist before:

'ForceAuthn' => ( ( IsForceAuthnOverride((string)$realm_name) || (property_exists($realm, "ForceAuthn") && ($realm->ForceAuthn === true))) ? true : false ),

Not exactly sure where it is reading this property from, though.
I'll see if I can get more information.

0 Kudos
Ben_Dunkley
Contributor

It would be nice if there was at least an sk for those new SAML features (Request Signing, Assertion Decryption and Forced Re-authentication).

SAML for remote access vpn broke for us on upgrade to take89, and we ended up reverting and installing take84 instead.

We were assuming it was related to those new features, but struggled to find any information about them.

the_rock
Legend
Legend

I actually gave feedback for the sk, lets hope they made a modification.

Andy

0 Kudos
PhoneBoy
Admin
Admin

sk180948 is where the existing "ForceAuthn = true" modification is documented.
I left feedback on this SK and it appears R&D plans to update this with the relevant information. 

0 Kudos
the_rock
Legend
Legend

I got an email today about the sk being modified and when I checked it, it indeed was.

Andy

0 Kudos
PhoneBoy
Admin
Admin

It looks like an additional modification to the file needs to be made for R82 and R81.20 JHF 89 (If I'm understanding the SK correctly).

0 Kudos
the_rock
Legend
Legend

Thats my understanding as well, but let me see if I can reply to email they sent, cause Im not sure that mailbox might be monitored.

Andy

0 Kudos
the_rock
Legend
Legend

I responded to an email and they answered advising to do modifications as per sk.

Andy

0 Kudos
the_rock
Legend
Legend

Yup, I see same thing on jumbo 90 as well, that exact line.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events