Check Point Gateway Identity Awareness- SAML Relying Party Configuration for Cloud Authentication Service - RSA Ready Implementation Guide
a year ago

This section describes how to integrate Check Point Gateway Identity Awareness with RSA Cloud Authentication Service using SAML Relying Party.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Go to Authentication Clients menu and select Relying Parties.

  1. In the Relying Party Catalog, select Add a Relying Party.
  2. Click Add for Service Provider SAML.

  1. On the Basic Information page, enter the name for the application in the Name field and click Next Step.

  1. In the Authentication tab, select SecurID manages all authentication.
  2. Select a Primary Authentication Method and Access Policy as required and click Next Step.

  1. In the Connection profile section, go to the Service Provider, and enter the following details:
    1. ACS URL: Refer to Check Point configuration section to obtain this value.
    2. Service Provider Entity ID: Refer to Check Point configuration section to obtain this value.

  1. In the SAML Response Protection section, select IdP signs assertion within response.
  2. Click Download Certificate.

  1. Select Show Advanced Configuration, under the User Identity section configure Identifier Type and Property as the following example: 
    1. Identifier Type > Auto Detect
    2. Property > Auto Detect

  1. Click Save and Finish.
  2. On the My Relying Parties page, click Edit
  3. Select Metadata option to download the metadata.

  1. Click Publish Changes to enable your application for SSO.

Configuration is complete. 

 

Configure Check Point Identity Awareness

Perform these steps to configure Check Point Identity Awareness.

Procedure

  1. Log in to Check Point SmartConsole desktop application with admin credentials.
  2. From the left pane, go to Gateways & Servers tab.
  3. Double click the required deployed Check Point Gateway.

  1. In the General properties of the gateway, ensure that Identity Awareness is enabled.

Note: If Identity Awareness is not enabled, follow the prompt to enable the service. During this process, the Identity Awareness portal URL will be configured, and end users will be redirected to it when Identity Awareness is triggered by the configured policies. 

  1. In the Gateway & Servers tab, click New > More > User/Identity > Identity Provider.

  1. In the New Identity Provider window, choose a name for the RSA identity provider.
  2. Select the relevant Check Point Gateway from the Gateway dropdown list
  3. Select Identity Awareness from the Service dropdown list.
  4.  Copy the Entity ID and paste it in the Service Provider Entity ID field in RSA configuration.
  5. Copy the Reply URL and paste it in the ACS URL field in RSA configuration.
  6.  Choose Import Metadata file
  7. Go to the Metadata file downloaded from RSA, and the rest of the fields will be auto populated.

  1. In SmartConsole, click the Gateways & Servers panel.
  2. Open the Security Gateway object. From the left pane, click Identity Awareness > enable Browser-Based Authentication and choose Settings.
  3. In the Access Settings, choose how end users will access this portal from to the following options: 
    1.  All interfaces
    2.  Internal interfaces
    3. Firewall policy

  1. In the Authentication Settings section, choose Identity Provider and Click the green [+] button.
  2. Select the SAML Identity Provider object configured previously and click OK.
  3. In the User Directories section:
  1. Internal users: In this configuration, the users authenticated against RSA must exist locally on the Check Point SmartConsole for authentication.
  2. LDAP users: In this configuration, the users authenticated against RSA must exist on a remote Active Directory server. Check Point must be configured to connect to it successfully to fetch the users according to the LDAP lookup for authentication.

Note: You must select the LDAP Lookup Type as mail.

  1. External user profiles: This relies on users existing outside of Check Point and LDAP, but you must create an external user generic profile to be able to authenticate correctly.

  1. In SmartConsole, click Publish.
  2. Select the applicable policy and choose Access Control.
  3. Click Install to apply the policy. 

The configuration is complete.
Return to Main page

Related Articles

Trending Articles

Don't see what you're looking for?