Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Heath_H
Contributor
Jump to solution

Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

I'm trying to put web apps in Mobile Access that leverage SAML based SSO (we use Okta, but it's the same for any SAML SSO provider).

 

The challenge is, that the application redirects to the SAML IdP just fine, but when the IdP redirects back to the relying party (SP), it is using the configured Relying Party URL.  So we need to send the IdP traffic through Mobile Access in order for MAB to be able to rewrite those URLs as they contain the SAML assertion that needs to go to the SP.

I have tried adding the SAML IdP URL as a web application and including it in the rules.  This almost works, but it seems that the URL rewriting code is either not able to or just isn't updating the SRI in the URL causing the browser to not load it as the SRI value doesn't match the rewritten URL.

I had a TAC case opened with my Diamond Engineer (6-0002161253), but it got closed in the transition from one engineer to another because the debugs that I had provided to the case got lost and I didn't want to go through an gather debugs all over for something that I clearly documented as an issue with the MAB URL rewrite.

I wanted to ask the community if anyone had been able to successfully add a web application to MAB that used SAML authentication and, if so, now.

Thanks,

heath

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The root post for this relates to backend apps that require SAML authentication to access.
Meanwhile, the frontend of MAB very much supports SAML authentication.
It's even in the documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...

View solution in original post

8 Replies
PhoneBoy
Admin
Admin

This may not be supported.
@MaksimBahunou can you confirm?

0 Kudos
MaksimBahunou
Employee
Employee

@PhoneBoy , you are right. Such configuration is not supported.

0 Kudos
Heath_H
Contributor

So what is the answer for that situation as more and more applications are leveraging SSO, including internal ones.  Further, SRI is a security measure and I only see it's use increasing in web-based applications.

Is the recommendation to move to something like an F5 in a DMZ that better handle URL rewriting for internal web applications coupled with SSO and MFA and just avoid the need for an SSL VPN entirely?

0 Kudos
PhoneBoy
Admin
Admin

We have a different solution that handles this use case better called Harmony Connect.
The deployment/management model is a bit different, but it achieves the same result.

Daniel_Kavan
Advisor
Advisor

Is this still the case today?   Harmony  Connect is recommended over sslvpn with SAML and web apps?  

It's odd that saml sso is supported for snx, Endpoint Security fat clients but not web apps.   It's not supported with mobile access portal or the identity awareness browser portal?   I'll check out the harmony connect, it looks like its a solution with the infinity portal.   Can it it be used to access on premise resources?

0 Kudos
PhoneBoy
Admin
Admin

Since that post was made, Harmony SASE is now the solution.
The Mobile Access Portal itself supports SAML authentication (has since R80.40).

Are you talking about a backend app (accessible via the MAB frontend) that requires SAML authentication?

0 Kudos
Daniel_Kavan
Advisor
Advisor

TAC just closed my case referencing this post, that SAML authentication wasn't supported for MAB web applications.   No, I don't need SAML for the backend apps, I'm just trying to get to them!

0 Kudos
PhoneBoy
Admin
Admin

The root post for this relates to backend apps that require SAML authentication to access.
Meanwhile, the frontend of MAB very much supports SAML authentication.
It's even in the documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events