This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex2023
Participant
‎2024-11-07 05:15 AM

R81.20 JHF 89 SAML Forced Re-authentication

Hi all,

Has anyone figured out how to enable this function: Identity Awareness(SAML): Forced Re-authentication, which requires mandatory login for each session?

Previously, I followed the instructions described in sk180948.

 

Best regards,

Alex

0 Kudos
21 Replies
the_rock
Legend
Legend
‎2024-11-07 06:48 AM

Im fairly positive there is a feature on Azure portal you need to enable to make this work. Let me talk to one of my coleagues, Im sure he will know what it is.

Andy

0 Kudos
Alex2023
Participant
‎2024-11-07 07:12 AM
In response to the_rock

Hi @the_rock ,

thank you for your message. I set up the Azure authorization according to that guide, and everything is working perfectly. However, I can’t find a function in Azure that would enforce authentication each time a client connects.

I used sk180948 to implement persistent authentication. I was hoping there might now be an option in Check Point to handle this without manually editing the config file.

Alex

 

0 Kudos
Alex2023
Participant
‎2024-11-07 07:26 AM
In response to Alex2023

This option likely pertains to Conditional Access Policies in Office365. See more here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#require...

the_rock
Legend
Legend
‎2024-11-07 07:27 AM
In response to Alex2023

Yep, thats it!

Andy

0 Kudos
Alex2023
Participant
‎2024-11-08 12:34 AM
In response to the_rock

Hi @the_rock ,

Simply activating this function in the Conditional Policy didn’t change anything. The MS documentation includes the following: 'Sign-in frequency set to every time works best when the resource has the logic of when a client should get a new token.'

It seems to me that some configuration change might also be needed on the Check Point side. Is there anyone we could ask about this?

 

Alex

0 Kudos
the_rock
Legend
Legend
‎2024-11-08 04:08 AM
In response to Alex2023

Thats the same link my collegue sent me as well, sorry. Im not aware of anything else. Maybe you can double check with TAC or lets see if someone else may know.

Andy

0 Kudos
Alex2023
Participant
‎2024-11-08 04:09 AM
In response to Alex2023

After a few hours, it started working better. Authentication is requested if the last session was more than 5 minutes ago.

0 Kudos
the_rock
Legend
Legend
‎2024-11-08 04:10 AM
In response to Alex2023

Maybe just took some time...

Alex2023
Participant
‎2024-11-08 04:12 AM
In response to the_rock

Agreed, Microsoft always requires some time.

0 Kudos
the_rock
Legend
Legend
‎2024-11-08 04:15 AM
In response to Alex2023

I wish that were only true for Microsoft lol

Anyway, is it working for all users now?

Andy

0 Kudos
Alex2023
Participant
‎2024-11-08 04:17 AM
In response to the_rock

Yes, this works for everyone who falls under this Conditional Policy.

Alex

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-08 07:32 AM

I diffed the relevant file in R81.20 JHF 89 versus a fresh install of R81.20.
There is one line added to the file that didn't exist before:

'ForceAuthn' => ( ( IsForceAuthnOverride((string)$realm_name) || (property_exists($realm, "ForceAuthn") && ($realm->ForceAuthn === true))) ? true : false ),

Not exactly sure where it is reading this property from, though.
I'll see if I can get more information.

0 Kudos
Ben_Dunkley
Contributor
‎2024-11-22 07:19 AM
In response to PhoneBoy

It would be nice if there was at least an sk for those new SAML features (Request Signing, Assertion Decryption and Forced Re-authentication).

SAML for remote access vpn broke for us on upgrade to take89, and we ended up reverting and installing take84 instead.

We were assuming it was related to those new features, but struggled to find any information about them.

the_rock
Legend
Legend
‎2024-11-22 12:15 PM
In response to Ben_Dunkley

I actually gave feedback for the sk, lets hope they made a modification.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-22 01:19 PM
In response to Ben_Dunkley

sk180948 is where the existing "ForceAuthn = true" modification is documented.
I left feedback on this SK and it appears R&D plans to update this with the relevant information. 

0 Kudos
the_rock
Legend
Legend
‎2024-11-24 01:04 PM
In response to Ben_Dunkley

I got an email today about the sk being modified and when I checked it, it indeed was.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-25 06:32 AM
In response to the_rock

It looks like an additional modification to the file needs to be made for R82 and R81.20 JHF 89 (If I'm understanding the SK correctly).

0 Kudos
the_rock
Legend
Legend
‎2024-11-25 06:37 AM
In response to PhoneBoy

Thats my understanding as well, but let me see if I can reply to email they sent, cause Im not sure that mailbox might be monitored.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-11-25 07:06 AM
In response to PhoneBoy

I responded to an email and they answered advising to do modifications as per sk.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-11-22 12:14 PM
In response to PhoneBoy

Yup, I see same thing on jumbo 90 as well, that exact line.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top