Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sdragon92
Contributor
Jump to solution

SSO not working with Endpoint VPN Client

Hello All,

I am doing a CheckPoint Endpoint VPN migration to multiple customers and we authenticate using SAML SSO, the integration works fine , however when the user disconnects and attempts to reauthenticate again, they get prompted again, although they are authenticating against an SSO portal which works for other vendors. I tried to play around with the tracs.default file and changed embedded to IE and seems for some reason this sessions or caches are getting deleted every time the user disconnects. Is that a normal behaviour to all identity providers? or there is smth I am missing? 

An update , I found this from the client guide, is that the root cause? It has to re initiate using Always-Connect feature only, I cannot manually do it according to this ? So how can I test this is working ? I guess by making the authentication timeout to be for example 2 minutes then wait for the re authentication to do the work without re prompting the user. Although I am still worried this might not work with SAML. Please someone correct me If I said smth wrong, thanks.

 

An update, This did not work, it did re authenticate me to my IdP but still the session /cache is cleared as it asks again for user/password. This behaviour doesn't appear on Mobile Access VPN as we use the normal browser and SSO happens normally, wonder if there is smth to be done for this endpoint client VPN to work with SSO ? Can someone help me please ? Thanks

 

- Dawoud

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

If you want a formal statement, please open a TAC case.
However, based on the fact we bring up an embedded browser for authentication for Remote Access VPN and the option that allows for an external browser to be used for SAML Authentication doesn't currently work (still to be implemented), I'm pretty confident this is not currently supported, but will probably be in the future.

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
(1)
11 Replies
PhoneBoy
Admin
Admin

The password caching options you mention only apply to internal authentication methods.
When using SAML, "caching" is largely controlled by the IdP.
Having said that, there is a specific parameter we don't send by default (ForceAuthn) that requires the user to authenticate again regardless of what the IdP says.
This is not done by default currently, but a fix for this can be obtained from the TAC by referencing TM-34402.

But it seems like you want the opposite?
You want the "cached" sign on used for other IdP services to be also used for VPN?
Please explain in more detail what you expect, also please include the version/JHF level of the gateway and client versions in use.

0 Kudos
sdragon92
Contributor

Hi @PhoneBoy , Thanks for your reply I appreciate it. The behavior is completely different than what we see on Mobile Access. We using the IdP (authenticate to an SSO portal of the IdP) so the session is kept on the browser, hence when we log off from mobile access page and log back in we send the SAML request and IdP identifies you as logged in on portal and sends back success to checkpoint and it doesn't re auth. however in the VPN client this doesn't happen ,it re auth everytime, what we want is to do the SSO normally with the VPN client using the session timeout of the IdP of that portal , same behavior like Mobile Access. So I guess the question is what is the difference between Mobile access and vpn client embedded browser for SSO to work? I also saw a video on youtube for a guy doing Azure AD and he manually logged off and he was re prompted again. So how can we make SSO work as long as the session to IdP is active (same as mobile access) ? 

Thanks in advance !

- Dawoud

0 Kudos
sdragon92
Contributor

@PhoneBoy  Client version: Client E86.50, Gateway & Management server Version R81.10 and Latest Jumbo hotfix (Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T78_FULL) we applied the script on management server too. 

0 Kudos
PhoneBoy
Admin
Admin

I assume MAB and Remote Access VPN are using different sessions for authentication similar to using two different browsers on the same system (e.g. Firefox and Chrome) that authenticate against the IdP.
Each browser session has to be authenticate separately in that case.
Getting them to use the same session (thus the SSO "works" for both VPN and MAB authenticating only once) is probably an RFE.

0 Kudos
sdragon92
Contributor

@PhoneBoy So are you saying that VPN client doesn't support SSO but supports only SAML at the moment ? Is there any ticket opened for this internally maybe ?  Kindly confirm if you can, thanks a lot for your time on this so far !

- Dawoud

0 Kudos
PhoneBoy
Admin
Admin

If you want a formal statement, please open a TAC case.
However, based on the fact we bring up an embedded browser for authentication for Remote Access VPN and the option that allows for an external browser to be used for SAML Authentication doesn't currently work (still to be implemented), I'm pretty confident this is not currently supported, but will probably be in the future.

0 Kudos
sdragon92
Contributor

@PhoneBoy That is fine , I am convinced with this as well, there is a workaround in place anyway for this, I will increase auth timeout a little bit so re auth happens maybe once a day for the users. Thanks a ton for your time so far in this @PhoneBoy . I appreciate it a ton !

- Dawoud

0 Kudos
PhoneBoy
Admin
Admin

To remand my answer above: you actually need to set ForceAuthn on the Azure IDP side of things to true instead of apply the "bugfix" in TM-34402.
Likewise, if you want to leverage the SSO of the IdP, ForceAuthn needs to be set to false (again, in AzureAD).

0 Kudos
Realeboga_Mashi
Contributor

Hi @PhoneBoy , are you saying that it is possible to request the 2nd-Factor each time the RA VPN session is terminated?

My current challenge is that with AZURE MFA set, when an VPN session is terminated and shortly re-established, the user is not prompted for the 2nd factor - this is not ideal for my organization. The request is that each RA VPN session on termination and re-establishment must do the complete auth-plus-2nd_factor auth.

I have checked with my Azure admin, the minimum token validity duration is 60minutes before the token expires - this doesn't meet the design requirements as this is too long a period of validity.

0 Kudos
PhoneBoy
Admin
Admin

If you want to force the full authentication flow each time, that can be done: https://community.checkpoint.com/t5/Remote-Access-VPN/Azure-SAML-Auth-forceAuthn-true/m-p/181467#M91...

(1)
Realeboga_Mashi
Contributor

Thank you, I have done the suggested changes and so far so good - each time a VPN session is ended, even within a minute of attempting login, the user is authenticated 2-ways - I am happy with the solution.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events