This section describes how to integrate Check Point Mobile Access portal with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure

1. Access the RSA Cloud Admin Console > Access > My Page > Single Sign-On (SSO), and enable My Page SSO.
2. Ensure that My Pages SSO is enabled and protected using the following two-factor authentication:

1. 1. Password.
   2. Access Policy.

3. Go to Applications > Application Catalog, click Create From Template.

4. Select SAML Direct.

5. Go to the Basic Information page, enter a name for the configuration in the Name field, and click Next Step.

6. In the Connection Profile section, click the IdP-initiated option.

7. Provide the Service Provider details:
   1. ACS URL: Refer to Check Point configuration section to obtain this value.
   2. Service Provider Entity ID: Refer to Check Point configuration section to obtain this value.

8. In the SAML Response Protection section, select IdP signs assertion within response. Download the certificate by clicking on Download Certificate.

9. Select Show Connection Profile Advanced Configuration, under the User Identity section configure Identifier Type and Property as:
   1. Identifier Type – Auto Detect
   2. Property – Auto Detect

10. Click Next Step.
11. Choose the required Access Policy for this application and click Next Step > Save and Finish.

12. On the My Applications page, click Edit Dropdown and select Metadata option to download the metadata.

13. Click Publish Changes. After publishing, your application is now enabled for SSO.

The configuration is complete.

Configure Check Point Mobile Access portal

Perform these steps to configure Check Point Mobile Access Portal.

Procedure

1. Log in to Check Point SmartConsole desktop application with admin credentials.
2. From the left pane, go to Gateways & Servers tab.
3. Double click the required deployed Check Point Gateway.

4. In the General properties of the gateway, ensure that Mobile Access service is enabled.

Note: If Mobile Access service is not enabled, follow the prompt to enable the service. During the process, the Mobile Access portal URL is configured, and end users will use it to log in to the portal. 

5. In the Gateway & Servers tab, click New > More > User/Identity > Identity Provider.

6. In the New Identity Provider window, choose a name for the RSA identity provider.
7. Select the relevant Check Point Gateway from the Gateway dropdown list
8. Select Mobile Access from the Service dropdown list.
9.  Copy the Entity ID and paste it in the Service Provider Entity ID field in RSA configuration.
10. Copy the Reply URL and paste it in the ACS URL field in RSA configuration.
11.  Choose Import Metadata file. 
12. Go to the Metadata file downloaded from RSA, and the rest of the fields will be auto populated.

13. In SmartConsole, click the Gateways & Servers panel.
    1. Open the Security Gateway object.
    2. From the left pane, click Mobile Access > Authentication.
    3. In the Multiple Authentication Client Settings section, click Add to add a new Realm object.
    4. On the Login Option pane, in the Usage in Gateway section, clear the box Use in Capsule Workspace.
    5. On the Login Option pane, in the Authentication Method section, click Add.
    6. Select Identity Provider.
    7. Click the green [+] button and select the SAML Identity Provider object. Click OK.

14. In the Compatibility with Older clients section, disable Allow older clients to connect to this gateway with Authentication Method listed as Username and password. 

Note: Follow the above step to only enforce RSA Authentication for users to log in. The Option for username and password authentication will not be available. 

15. In SmartConsole, click Publish.
16. Select the applicable policy and choose Access Control.
17. Click Install to apply the policy. 

The configuration is complete.