Scribd
Upload
50 views

SAML Authentication in Remote Access VPN Clients

Uploaded by

omarsmedina02
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views

SAML Authentication in Remote Access VPN Clients

Uploaded by

omarsmedina02
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

JS

Support Center / Search Results / Secureknowledge Details

My Favorites

Search questions, keywords or topics you need information about.

Solution ID: sk172909 Technical Level: Advanced

Email

SAML authentication in Remote Access VPN clients


Product
Endpoint Security VPN, Quantum Security Management

Version
R80.40, R81, R81.10, R81.20

Last Modified
2023-09-19

Solution
Overview

This article describes the configuration of SAML (Security Assertion Markup Language) for Remote Access VPN (Endpoint Security Client on Windows
OS and macOS).

SAML support provides a Multi-Factor Authentication method defined by the policy of the Identity Provider. Authorization is based on groups defined in an
Privacidad - Términos

Identity Provider, or groups defined in an on-premises Active Directory/LDAP.


SAML for Remote Access VPN supports Check Point Mobile for Windows. JS

Important - SAML for Remote Access VPN does not support:

Quantum Spark appliances with Gaia Embedded OS

Capsule VPN / Capsule Connect / Capsule for Windows / Capsule Workspace

For the list of the limitations, see the Remote Access VPN Administration Guide for the version of the Management Server.

Requirements

1. Check Point Endpoint Security Client:

Endpoint Security Client for Windows - version E84.70 build 986102705 or higher

Endpoint Security Client for macOS - version E85.30 or higher

2. Check Point Security Gateway:

For Gateway mode:

Check Point Quantum R81.20 (Titan)

R81.10 with the R81.10 Jumbo Hotfix Accumulator, Take 9 or higher

R81 with the R81 Jumbo Hotfix Accumulator, Take 42 or higher

R80.40 with the R80.40 Jumbo Hotfix Accumulator, Take 114 or higher

For VSX mode:

Check Point Quantum R81.20 (Titan)

R81.10 with the R81.10 Jumbo Hotfix Accumulator, Take 9 or higher

R81 with the R81 Jumbo Hotfix Accumulator, Take 42 or higher


R80.40 with the R80.40 Jumbo Hotfix Accumulator, Take 119 or higher
JS

For Maestro Gateways:

Check Point Quantum R81.20 (Titan) (With R81.20 Management Server)

3. Check Point Security Management or Multi-Domain Server:

Check Point Quantum R81.20 (Titan)

R81.10 with the R81.10 Jumbo Hotfix Accumulator, Take 9 or higher

R81 with the R81 Jumbo Hotfix Accumulator, Take 42 or higher

R80.40 with the R80.40 Jumbo Hotfix Accumulator, Take 114 or higher

4. SmartConsole:

Check Point Quantum R81.20 (Titan)

R81.10 SmartConsole Release - Build 400 or higher

R81 SmartConsole Release - Build 553 or higher

R80.40 SmartConsole Release - Build 423 or higher

5. Script to Add SAML

1. Run the script on Management Server:

If using Smart-1 Cloud, contact Check Point Support to have enabled on your Tenant and provide the Tenant ID.

2. The Download link is found here or in Remote Access Admin guides.

Management Version Target Gateway Version Script Needed?


R81.20 R81.20 Integrated
R81.20 R81.10, R81, R80.40 Yes
R81.10, R81, R80.40 R81.10, R81, R80.40 Yes
JS

Installation and Configuration

For the detailed procedure, see the Remote Access VPN Administration Guide for the version of the Management Server > chapter "SAML Support for
Remote Access VPN".

Notes:

Download the Script to Allow Remote Access VPN for Security Gateways R80.40 and higher and run on the Management Server. See the Remote
Access VPN Administration Guide for the version of the Management Server > chapter "SAML Support for Remote Access VPN" > section
"Configure the Identity Provider as an Authentication Method".

For Azure AD Identity Provider, we recommend to watch the Overview and configuration of SAML for a VPN Remote Access solution.

If it is necessary to use the same Identity Provider for multiple Software Blades (Mobile Access, Remote Access, Identity Awareness) on an R80.40
Security Gateway, then you must install the R80.40 Jumbo Hotfix Accumulator Take 119 or higher.

If you are implementing SAML for different gateways, you will need separate IDP object per gateway, per service (Remote Access, Mobile Access,
Identity Awareness).

Troubleshooting Notes for initial configuration:


Case 1: Remote access service does not appear in the Identity Provider object

Symptom

Remote Access service does not appear in the Identity Provider object.

IDP object is not selectable for the Remote Access gateway.

Cause
JS
SAML for Remote Access VPN was not implemented correctly.

Solution

1. Make sure the versions / Jumbo Hotfix Accumulator takes of the Management Server and Security Gateways support SAML for Remote Access
VPN. For more information, see the Remote Access VPN Administration Guide for the version of the Management Server > chapter "SAML Support
for Remote Access VPN" > heading "Requirements".

2. If the version of at least one Security Gateway is R81.10 or lower, you must run a script on the Management Server to use the feature. For more
information, see the Remote Access VPN Administration Guide for the version of the Management Server > chapter "SAML Support for Remote
Access VPN" > heading "Configure the Identity Provider as an Authentication Method".

3. Make sure the version of SmartConsole is up to date.

4. When making the Identity Provider object, if you can not have "Remote Access" as a service option.

a. Verify the URL in the SAML portal settings in the gateway object.

i. If using a 3rd party Certificate. The URL must match the Certificate FQDN,

ii. If using the Default Checkpoint Certificate, then use https://<gateway-IP>/saml-vpn.

iii. Note, the SAML portal settings URL must relate to your external interface set in IPSec Link Selection.

b. If the "Remote Access" service is not in the IDP object, verify that the gateway is in the RA community and selected in the IDP object.

5. If steps 1-4 are verified correctly, and the Remote Access Service is still not showing up, then install database to the management server.

Case 2: Policy installation fails when an Authentication method is defined with a Identity Provider

Symptoms

Policy installation fails when an Authentication method is defined with a Identity Provider.

This error message appears: "VPN Clients -> Settings section cannot contain multiple login option object that uses an identity provider as an
authentication method. R81 and below gateways are not supported with identity providers for VPN Clients Authentication. Please refer to SK172909".
Cause
JS

The SAML Authentication Feature was not enabled on the Management Server for managed gateways running R81.10 or lower.
Please run the above script from section "Requirements", step "5. Script to add SAML" on the management server"

Solution

Run the required script on the Management Server. For more information, see the Remote Access VPN Administration Guide for the
version of the Management Server > chapter "SAML Support for Remote Access VPN" > heading "Configure the Identity Provider as an
Authentication Method".

If this is a Smart-1 Cloud Environment contact Check Point Support to run the script on your Smart-1 Cloud Tenant.

For faster resolution please provide your Tenant ID when you open a case.

Article Properties
Access Level
Advanced

Date Created
2021-04-05

Last Modified
2023-09-19
Was this page helpful? Yes No JS

Haven't found what you're looking for?


Our customer support team is only a click away and ready to help you 24 hours a day.

Open a Service Request

Follow Us


YOU DESERVE THE BEST SECURITY

©1994-2023 Check Point Software Technologies Ltd. All rights reserved.

Copyright | Privacy Policy

You might also like