Support Center > Search Results > SecureKnowledge Details
CloudGuard SaaS: How to configure AD FS Relying Party Trust Technical Level
Solution

Table of Contents:

  • Introduction
  • Prerequisites
  • Configuration
    • Connect CloudGuard to AD FS for Single Sign-On (SSO) (Windows Server 2012 R2)
    • Additional Configuration Required for Relying Party Trust (Windows Server 2012 R2)
    • Connect CloudGuard to AD FS for Single Sign-On (SSO) (Windows Server 2016)
    • Additional Configuration Required for Relying Party Trust (Windows Server 2016)

Introduction

This page describes the step-by-step process of adding CloudGuard as a Relying Party Trust in AD FS servers.

Prerequisites

  • An instance of AD FS 3.0 or A DFS 4.0
  • An AD FS SAML endpoint that is exposed to the devices that will need to authenticate

Configuration

Connect CloudGuard to AD FS for Single Sign-On (SSO) (Windows Server 2012 R2)

  1. Open the AD FS Management Console.
  2. Navigate to the following: 'AD FS > Trust Relationships > Relying Party Trusts'.

  3. On the right-hand side, select "Add Relying Party Trust…"

  4. This will take you to the Add Relying Party Trust Wizard. Click "Start".
  5. Select "Enter data about the relying party manually", and click "Next".

  6. Fill:
    • In "Display name", enter: Check Point CloudGuard SSO.
    • In "Notes", enter: This is the relying party trust for Check Point CloudGuard single sign-on

    • Click "Next".
  7. Check that AD FS profile is selected and click "Next".

  8. In the "Configure Certificate" section, do not upload a token encryption certificate, and click "Next".

  9. Select the checkbox "Enable support for the SAML 2.0 WebSSO protocol".

    • In the "Service URL" field, enter: https://ato-dev-api-gw.portal.checkpoint.com/authenticator/saml/SSO

    • Click "Next".
  10. In the "Relying party trust identifier" textbox, enter the following identifier: cloudguard.checkpoint.com. Click "Add" and then click "Next".

  11. In the next screen, make sure that the option "I do not want to configure multi-factor authentication […]" is selected, and click "Next".

  12. Make sure that "Permit all users to access this relying party" is selected, and click "Next".

  13. In the "Ready to Add Trust" section, just click "Next".

  14. Select the option "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes" , then click "Close".

  15. Next you will be taken to the "Edit Claim Rules for Check Point CloudGuard SSO" panel. From the "Issuance Transform Rules" tab, click "Add Rule..."

  16. Set the "Claim rule template" drop-down menu to "Send LDAP Attributes as Claims" and click "Next".


  17. Under Configure Claim Rule, enter the following settings:


    • Claim rule name: LDAP - User Principal Name as Name ID
    • Attribute store: Active Directory
    • LDAP Attribute: User-Principal-Name
    • Outgoing Claim Type: Name ID


      Note: If the AD user has a different email address than the User Principal Name in the Active Directory, choose E-Mail-Addresses field instead of User-Principal-Name field.

  18. Click "Finish", then click "OK".

Additional Configuration Required for Relying Party Trust (Windows Server 2012 R2)

  1. Open the AD FS Management Console.
  2. Navigate to the following: 'AD FS > Trust Relationships > Relying Party Trusts'.
  3. Right-click the "Check Point CloudGuard SSO" trust and select "Properties".

  4. Select the "Signature" tab:
  5. Select the "Endpoints" tab.
    • Click "Add SAML…"

    • A form will open.

    • Enter the following settings:
      • Endpoint type: SAML Logout
      • Binding: POST
      • Trusted URL: https://ato-dev-api-gw.portal.checkpoint.com/authenticator/SingleLogout


    • Click "OK", and then "Apply".
    • Select the "Advanced" tab and make sure Secure hash algorithm is set to: SHA-256.
    • Click "Apply", and then "OK".

  6. That's all! Now you just need to restart the AD FS services or reboot the server in order for the configuration to apply.

Connect CloudGuard to AD FS for Single Sign-On (SSO) (Windows Server 2016)

  1. Open the AD FS Management Console.
  2. Navigate to the following: 'AD FS > Relying Party Trusts'.

  3. On the right-hand side, select "Add Relying Party Trust".

  4. This will take you to the "Add Relying Party Trust Wizard". Click "Start".


  5. Select "Enter data about the relying party manually", and click "Next".

  6. Fill:
    • In "Display name", enter: Check Point CloudGuard SSO.
    • In "Notes", enter: This is the relying party trust for Check Point CloudGuard single sign-on. Click "Next".

  7. In the "Configure Certificate" section, do not upload a token encryption certificate, and click "Next".

  8. Select the checkbox "Enable support for the SAML 2.0 WebSSO protocol".


    • In the "Service URL" field, enter: https://ato-dev-api-gw.portal.checkpoint.com/authenticator/saml/SSO

    • Click "Next".
  9. In the "Relying party trust identifier" textbox, enter the following identifier: cloudguard.checkpoint.com.
    Click "Add", then click "Next".

  10. In the "Choose Access Control Policy" make sure the "Permit everyone" is set.

  11. Click "Next".

  12. In the next screen, make sure that the configure claims issuance policy is selected, and click "Close".

  13. Next you will be taken to the "Edit Claim Rules for Check Point CloudGuard SSO" panel. From the "Issuance Transform Rules" tab, click "Add Rule..."

  14. Set the "Claim rule template" drop-down menu to Send LDAP Attributes as Claims and click "Next".

  15. Under "Configure Claim Rule":


    • Fill the following settings:
      • Claim rule name: LDAP - User Principal Name as Name ID 
      • Attribute store: Active Directory
      • LDAP Attribute: User-Principal-Name
      • Outgoing Claim Type: Name ID



        Note: If the AD user has a different email address than the User Principal Name in the Active Directory, choose E-Mail-Addresses field instead of User-Principal-Name field.

  16. Click "Finish".


  17. Click "OK".

Additional Configuration Required for Relying Party Trust (Windows Server 2016)

  1. Open the AD FS Management Console.
  2. Navigate to the following: 'AD FS > Relying Party Trusts'.

  3. Right-click the "Check Point CloudGuard SSO" trust and select "Properties".

  4. Select the "Signature" tab:


  5. Select the "Endpoints" tab.


    • Click "Add SAML".


    • Enter the following settings:
      • Endpoint type: SAML Logout
      • Binding: POST
      • Trusted URL: https://ato-dev-api-gw.portal.checkpoint.com/authenticator/SingleLogout

      • Click "OK", and then "Apply".

  6. Select the "Advanced"  tab.

    • Make sure Secure hash algorithm is set to: SHA-256.
    • Click "Apply", and then "OK".
  7. That's all! Now you just need to restart the AD FS services or reboot the server in order for the configuration to apply.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment