SecurID® Integrations
Certified: December 05, 2022
Solution Summary
This section describes Check Point Security Gateway integration with RSA SecurID (or ID Plus). Use this information to determine which use case and integration type your deployment will employ.
Use Case
Check Point Security Gateway can be integrated with RSA SecurID to provide RSA SecurID Authentication using SAML/ Native SecurID Agent integration/RADIUS.
Integration Types
RADIUS integrations provide a text-driven interface for RSA SecurID Access within the partner application. RADIUS provides support for most RSA SecurID Access authentication methods and flows.
SSO integrations use SAML 2.0 to direct users’ web browsers to Cloud Authentication Service for authentication. SSO provides Single Sign-On using the IDR My Applications/My Page Portal.
Relying party integrations use SAML 2.0 to direct users’ web browsers to Cloud Authentication Service for authentication. Primary authentication is configurable, so relying party can be a good choice for adding additional authentication (only) to existing deployments.
Authentication Agent integrations use an embedded RSA agent to provide RSA SecurID and Authenticate OTP authentication methods within the partner’s application. Authentication agents are simple to configure and support the highest rate of authentications.
Supported Features
This section shows all the supported features by integration type and by RSA components. Use this information to determine which integration type and which RSA component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA with Check Point Gateway R81.10 using each integration type.
Check Point Gateway R81.10 Integration with RSA Cloud Authentication Service
|
Authentication Methods |
RSA MFA API (REST) |
RADIUS |
Relying Party |
SSO |
|
RSA SecurID |
- |
|
 |
|
|
LDAP Password |
- |
|
|
|
|
Authenticate Approve |
- |
|
|
|
|
Authenticate OTP |
- |
|
|
|
|
Device Biometrics |
- |
|
|
|
|
SMS OTP |
- |
|
|
|
|
Voice OTP |
- |
|
|
|
|
FIDO Security Key |
n/a |
- |
|
|
Check Point Gateway R81.10 Integration with RSA Authentication Manager
|
Authentication Methods |
RSA MFA API (REST) |
RADIUS |
Authentication Agent |
|
RSA SecurID |
- |
|
|
|
On Demand Authentication |
- |
|
|
|
Risk Based Authentication |
- |
- |
- |
|
Supported |
| - | Not supported |
| n/t | Not yet tested or documented, but may be possible |
| n/a | Not applicable |
Configuration Summary
This section contains instruction steps that show how to integrate Check Point Gateway R81.10 with RSA SecurID using all of the integration types.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.
All RSA SecurID and Check Point Gateway R81.10 components must be installed and working prior to the integration.
All of the supported use cases of RSA SecurID Access with Check Point Security Gateway require both server-side and client-side configuration changes. This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
Integration Configuration
RSA Cloud Authentication Service
Client VPN
Mobile Access VPN
Identity Awareness
RSA Authentication Manager
Client VPN
Mobile Access VPN
Identity Awareness
References
- SecurID Native End User Options
- Generic User Creation
- User Directories Configuration
- Check Point Remote Access Client VPN Sample Configuration
- sk172909 Article Steps
- Login Screenshots
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
|
Previous Version |
New Version |
Examples/Comments |
|---|---|---|
| Company ID | Organization ID | |
| Account | Credential | |
| Token | OTP Credential |
SecurID OTP Credential |
| Tokencode | OTP/Access Code |
SecurID OTP, SMS OTP, Voice OTP Emergency Access Code, Disable Access Code |
| Hardware Token | Hardware Authenticator | |
| Device Serial Number | Binding ID | |
| Device | Credential/Authenticator | |
| Device Registration Code | Registration Code | |
| Authenticate App | Authenticator App |
Known Issues
SecurID Protocol Next Token Code Mode Issue
Important: This release does not enforce authentication after a new PIN is set via Native SecurID. This issue does not apply to RADIUS.
Therefore, the On Demand Authentication via Native SecurID when in New PIN mode will authenticate a user without the user ever entering a token code. This is effectively a single factor authentication. This is not an issue once the user sets the PIN.
Remote Access VPN SSO Issue
VPN Client authentication using SAML My Page SSO and SAML IDR SSO do not support SSO yet. When users are disconnected, they will be reauthenticated regardless of the session timeout of the portal. Check Point is expected to support it soon.
Remote Access VPN FIDO Authentications Issue
The embedded browser of Check Point Client VPN does not support FIDO authentications. As per documentations of Check Point Client VPN, it can use Internet Explorer instead of the embedded browser by editing the trac.defaults file, but it does not support FIDO either.
Node Secret Removal
Gaia Platform
- Log on to the GAIA CLI console and enable expert mode.
- Change directory to /var/ace.
- Delete the file securid, rm securid.
- Stop the Check Point services, cpstop.
- Start the Check Point services, cpstart.
Certification Details
RSA Authentication Manager 8.7 Patch 1, Virtual Appliance or later
RSA Authentication Software Token 5.0.3.712 Windows 10 64 bit or later
RSA Software Token Automation Software 5.0.3.712 or later
Check Point, R81.10, GAIA OS Virtual Appliance
Check Point SmartConsole, R81.10
Check Point, Endpoint Security Client E86.50, Windows 10
RSA Ready certification by Mahmoud Dawoud
