@Alex2023 

I believe this is what you need to follow, but will verify.

Andy

https://learn.microsoft.com/en-us/entra/identity/saas-apps/check-point-remote-access-vpn-tutorial

Hi @the_rock ,

thank you for your message. I set up the Azure authorization according to that guide, and everything is working perfectly. However, I can’t find a function in Azure that would enforce authentication each time a client connects.

I used sk180948 to implement persistent authentication. I was hoping there might now be an option in Check Point to handle this without manually editing the config file.

Alex

This option likely pertains to Conditional Access Policies in Office365. See more here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#require...

Yep, thats it!

Andy

Hi @the_rock ,

Simply activating this function in the Conditional Policy didn’t change anything. The MS documentation includes the following: 'Sign-in frequency set to every time works best when the resource has the logic of when a client should get a new token.'

It seems to me that some configuration change might also be needed on the Check Point side. Is there anyone we could ask about this?

Alex

Thats the same link my collegue sent me as well, sorry. Im not aware of anything else. Maybe you can double check with TAC or lets see if someone else may know.

Andy

After a few hours, it started working better. Authentication is requested if the last session was more than 5 minutes ago.

Maybe just took some time...

Agreed, Microsoft always requires some time.

I wish that were only true for Microsoft lol

Anyway, is it working for all users now?

Andy

Yes, this works for everyone who falls under this Conditional Policy.

Alex

It would be nice if there was at least an sk for those new SAML features (Request Signing, Assertion Decryption and Forced Re-authentication).

SAML for remote access vpn broke for us on upgrade to take89, and we ended up reverting and installing take84 instead.

We were assuming it was related to those new features, but struggled to find any information about them.

I actually gave feedback for the sk, lets hope they made a modification.

Andy

sk180948 is where the existing "ForceAuthn = true" modification is documented.
I left feedback on this SK and it appears R&D plans to update this with the relevant information. 

I got an email today about the sk being modified and when I checked it, it indeed was.

Andy

It looks like an additional modification to the file needs to be made for R82 and R81.20 JHF 89 (If I'm understanding the SK correctly).

Thats my understanding as well, but let me see if I can reply to email they sent, cause Im not sure that mailbox might be monitored.

Andy

I responded to an email and they answered advising to do modifications as per sk.

Andy

Yup, I see same thing on jumbo 90 as well, that exact line.

Andy