This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonas_Meineke
Explorer
‎2023-12-19 03:20 AM

Remote Access VPN with SAML Auth and MEP - Identity Provider Configuration

Hi all,

there's 2 questions for this matter:

a) Is MEP with Identity Provider seamless? Will I only have to login once, or do I have to login to every single gateway again?

b) Is a bit more technical:

We have an environment, where we have a working MEP Configuration for Username/Password.

We're trying to change to Azure AD Auth with SAML / Identity Provider.

I've gone through the AdminGuide for SAML Support

(https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...)

and configured my Identity Provider, added a second Login Option for Identity Provider Usage and gone through the GuiDBedit part.

For MEP, there is only one remark under "Step 4: Configure the Identity Provider as an Authentication Method":

Note - For Remote Access Multiple Entry Point (MEP), you must configure the same Login Option on all Security Gateways that participate in MEP. Make sure to add all the Identity Provider objects (one per Security Gateway) to a dedicated Login Option.


Does this implicitely mean, that we have to create an Identity Provider Object for every single gateway that takes part in the Remote Access community and therefore gets added to the MEP configuration?

And secondary, "add all  IDP objects (one per Security Gateway) to a dedicated Login Option", does this mean, that I need one addtional login option with all configured Identity Providers, or do I need a separate one for each Identity Provider, given that I might indeed have to create an IDP for each participating gateway?

 

The Setup is that everyone connects to the main site (That one got the Identity Provider configured above), and then uses MEP to get to other sites afterwards.


Question is, can other MEP Gateways simply use the already established user verification somehow and I missed that point, or do we have to login to every gateway indeed?

In the current config: After the initial successful SAML login to the main site, the next site comes up and gives us another Identity Provider login which then fails.

Best Regards,
Jonas

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-12-19 04:39 PM

Pretty sure MEP does not reuse the existing authentication, even when SAML is not used.
Not sure if you can reuse the Identity Provider for all gateways/clusters unless the redirection URL will terminate on the relevant gateway.
I don't see how this can work for external users.
Which means: you will need to create a new Identity Provider object for each gateway/cluster. 

0 Kudos
Jonas_Meineke
Explorer
‎2023-12-20 05:24 AM
In response to PhoneBoy

I've looked further into this and it is not MEP, but the RA secondary connect, which happens automatically for all gateways that are part of the RemoteAccess community (and is needed in the current setup due to the different EncDoms from different sites).

If this is the design, I guess using multiple gateways for Remote Access and trying to use Identity Provider is kind of scuffed, if there is no option to consolidate that login, if I have to bind one Provider to a single Gateway/Cluster?

If I have to log in to 6-8 different Identity Providers each time I wanna use Client VPN, that's gonna be rather unfeasible after 2 days.

Should I open a case for this? I don't seem to find any real documentation for this usecase.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-20 07:17 AM
In response to Jonas_Meineke

What you need to do (I believe) is create multiple objects for the same SAML provider with a similar configuration (the Identifier and Reply URL is specific to the gateway terminating the connection).

image.png

Even within the same gateway, you currently have to create multiple objects if you are using SAML with, say, Mobile Access Blade and Identity Awareness.
This is a known limitation at present.

In R82, Quantum Gateways will be able to use Identity Providers defined in the Check Point Infinity Portal, allowing customers to centrally manage identities across multiple Check Point products.
This should eliminate this issue.

0 Kudos
CheckPointerXL
Advisor
‎2024-01-07 10:30 AM
In response to Jonas_Meineke

hey Jonas,

any news on this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events