This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Contributor
Wednesday

VPN users, SAML and IPassignments

I'm currently investigating the way VPN users are identified when they connect and authenticate with SAML against 365. Employees are sync'ed from Local AD but other users are only defined in 365. Identity collector is deployed on the local AD servers. Users connect using the either the Remote Access Client or the Endpoint Security Client, but the effect is the same in both.

If the user is identified by SAML but not known in local AD then I believe that the “Username” is returned as the email address so user.name@mydomain.co.uk. This is then matched in ipassignments.conf to give the user an IP address. (assuming that there is an entry for user.name@mydomain.co.uk obviously) But as the user is not known in local AD, the ID Awareness obviously doesn't have any group membership details for the user, so the user won't match any Access Roles.

If the user is identified by SAML and is known in local AD then I believe that the “Username” is returned as the first part of the email address only so user.name. This however is NOT matched in ipassignments.conf so the user gets an IP address from the DHCP pool. (even if there is an entry in ipassignments.conf for user.name) However this time, as the user IS known in local AD, the ID Awareness does have the group membership details for the user, so the user will match Access Roles.

What I don't understand is why the identified users are not matching in the ipassignments.conf file. Am I missing something here? I don't have a suitable lab environment to be able to test this unfortunately.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
Friday

The Entra ID groups should be passed as part of the SAML Assertion.
You also need to create local versions of said groups.
See: https://support.checkpoint.com/results/sk/sk177267 

0 Kudos
fabionfsc
Contributor
Friday

Usually, when I deploy Microsoft Authenticator + Entra ID for VPN authentication, I also perform verification via Local AD, because our customers have a license that, when creating a user in Azure, it is replicated in Local AD and vice-versa. But when this scenario does not occur, it is complicated... The Access Role rules never match. I know there is a solution for this, which is to create empty groups with EXT_*, but honestly I have never tested it.

That said, when authentication is done via Entra ID, Check Point does not receive the username, but rather the UPN (userPrincipalName), which is user@domain.com, but this also depends on how the Enterprise Application was configured, and how the user will be identified in the metadata.

I have a test environment where we can test some configurations, including ipassignment.conf. In my tests, even using common authentication by username and password, I was only able to make it work by defining the DN (Distinguished Name) of the users in the ipassignment.conf file.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events