Integration of Checkpoint Client VPN with AWS Identity Center SAML

Hello,

I have followed the procedure in the following link to create the application in the Identity Center: https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html I have also followed a similar procedure to integrate it with the Checkpoint VPN: https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ Regarding Checkpoint, I have used the following procedure: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm Specifically, I don't understand step 6 mentioned by Checkpoint, which involves Checkpoint accessing the user database in the Identity Center through that connection. The excerpt from step 6 is as follows:

Step 6: Configure the Group Authorization

Authorization is for these types of groups:

Identity Provider groups: The groups sent by the Identity Provider.
Internal groups: The groups received from User Directories configured in SmartConsole.

To configure the Identity Provider groups:

In the Identity Provider interface, configure roles.
In the Identity Provider interface, configure a SAML claim on the Identity Provider.
In SmartConsole, create an internal User Group object with this name (case-sensitive): EXT_ID_<Name_of_Role>. For example, for a role in the Identity Provider's interface with the name "my_group", create an internal User Group object in SmartConsole with the name "EXT_ID_my_group".

Note: Identity Tags are not supported for Remote Access connections.

Identity Provider groups and Internal groups (e.g., LDAP) are used for authorization.

Authorization types:

Remote Access VPN Community: Grants users access to Remote Access VPN.
Access Roles (requires the Identity Awareness Software Blade): Grants access to users according to policy rules and user identities.

To apply authorization by Remote Access VPN, add the applicable group to the Remote Access VPN.

To apply authorization by Access Roles, add the applicable group to an Access Role in the Access Control Policy.

The purpose of this configuration is to allow users connecting to the Checkpoint client VPN to log in with users from the Identity Center and use two-factor authentication to connect to the VPN.

Could you please assist me with this?

Thank you very much.

Kind regards.

Topics

Security, Identity, & Compliance

Relevant content

Proper Administrator Procedure in IAM Identity Center?
DylanGeek
asked a year ago
APIs for creating Custom SAML 2.0 application in Identity Center
Bloo
asked 9 months ago
Authenticate VPN with IAM Identity Center
spiritcloud
asked 4 months ago
Cannot create an IAM Identity Center administrative user following the documentation
Accepted Answer
Onkel Tem
asked 9 months ago
Does using the IAM Identity Center affect my IAM identities or federation configuration?
AWS OFFICIALUpdated a year ago
How do I use the IAM Identity Center and the AWS access portal?
AWS OFFICIALUpdated 5 months ago
How do I integrate IAM Identity Center with an Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
How do I assign user access to cloud applications in the IAM Identity Center?
AWS OFFICIALUpdated 5 months ago
Unlocking the Secrets of AWS Identity and Access Management
EXPERT
Giovanni Lauria
published a month ago
How to Rotate your External IdP Certificates in AWS IAM Identity Center (successor to AWS Single Sign-On) with Zero Downtime
EXPERT
Matt-B
published a year ago