Check Point Gateway Identity Awareness - SAML My Page SSO Configuration for Cloud Authentication Service - RSA Ready Implementation Guide
a year ago

This section describes how to integrate Check Point Gateway Identity Awareness with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure

  1. Access the RSA Cloud Admin Console > Access > My Page > Single Sign-On (SSO) and enable My Page SSO.
  2. Ensure that My Pages SSO is enabled and protected using two-factor authentication:
    1. Password.
    2. Access Policy.

  1. Go to the Applications > Application Catalog page, click Create From Template.

  1. Select SAML Direct.

  1. Go to the Basic Information page, enter a name for the configuration in the Name field and click Next Step.

  1. In the Connection Profile section, click the SP-initiated option.

Note: Connection URL: The Identity Awareness portal URL obtained from Check Point usually in the format: https:<hostname or ipaddress>/connect

  1. Enter the following Service Provider details:
    1. ACS URL: Refer to Check Point configuration section to obtain this value.
    2. Service Provider Entity ID: Refer to Check Point configuration section to obtain this value.

  1. In the SAML Response Protection section, select IdP signs assertion within response.
  2. Click Download Certificate.

  1. Select Show Connection Profile Advanced Configuration, on the User Identity section configure Identifier Type and Property in the following format:
    1. Identifier Type – Auto Detect
    2. Property – Auto Detect

  1. Click Next Step.
  2. Choose the required Access Policy for this application and click Next Step > Save and Finish.

  1. On the My Applications page, click Edit Dropdown and select Metadata option to download the metadata.

  1. Click Publish Changes to enable your application for SSO. 

Configuration is complete.

Configure Check Point Identity Awareness

Perform these steps to configure Check Point Identity Awareness.

Procedure

  1. Log in to Check Point SmartConsole desktop application with admin credentials.
  2. From the left pane, Go to Gateways & Servers tab.
  3. Double click the required deployed Check Point Gateway.

  1. In the General properties of the gateway, ensure that Identity Awareness is enabled.

Note: If Identity Awareness is not enabled, follow the prompt to enable the service. During this process, the Identity Awareness portal URL will be configured, and end users will be redirected to it when Identity Awareness is triggered by the configured policies. 

  1. In the Gateway & Servers tab, click New > More > User/Identity > Identity Provider.

  1. In the New Identity Provider window, choose a name for the RSA identity provider.
  2. Select the relevant Check Point Gateway from the Gateway dropdown list
  3. Select Identity Awareness from the Service dropdown list.
  4.  Copy the Entity ID and paste it in the Service Provider Entity ID field in RSA configuration.
  5. Copy the Reply URL and paste it in the ACS URL field in RSA configuration.
  6.  Choose Import Metadata file
  7. Go to the Metadata file downloaded from RSA, and the rest of the fields will be auto populated.

  1. In SmartConsole, click the Gateways & Servers panel.
  2. Open the Security Gateway object. From the left pane, click Identity Awareness > enable Browser-Based Authentication and choose Settings.
  3. In the Access Settings, choose how end users will access this portal from to the following options: 
    1.  All interfaces
    2.  Internal interfaces
    3. Firewall policy

  1. In the Authentication Settings section, choose Identity Provider and Click the green [+] button.
  2. Select the SAML Identity Provider object configured previously and click OK.
  3. In the User Directories section, enter the following details:
  1. Internal users: In this configuration, the users authenticated against RSA must exist locally on the Check Point SmartConsole for authentication.
  2. LDAP users: In this configuration, the users authenticated against RSA must exist on a remote Active Directory server. Check Point must be configured to connect to it successfully to fetch the users according to the LDAP lookup for authentication.

Note: You must select the LDAP Lookup Type as mail.

  1. External user profiles: This configuration relies on users existing outside of Check Point and LDAP. However, you must create an external user profile to authenticate users correctly.

  1. In SmartConsole, click Publish.
  2. Select the applicable policy and choose Access Control.
  3. Click Install to apply the policy. 

The configuration is complete.
Return to Main page

Related Articles

Trending Articles

Don't see what you're looking for?