This page describes how to configure CloudGuard SaaS to work with Microsoft AD FS as an Identity Provider and G Suite as Service Provider. After the configuration is finished, all login requests to G Suite will go through CloudGuard SaaS Authentication Service.
Table of Contents:
#1 - This procedure will impact all G Suite users in your domain; it cannot be done only for specific user groups.
#2 - The change of Identity Provider in G Suite takes effect immediately.
#3 - In case you are using the Check Point MFA Adapter plugin on AD FS (see SK123143), the procedure will indicate when it is necessary to deactivate the plugin.
#4 - Besides the configuration described in this article, you need to associate G Suite to CloudGuard SaaS in order to synchronize your users. This is done under Identity Protection\Configuration\SaaS Applications. Please consult the Identity Protection Admin Guide, section Getting Started - Initial Configuration, for more details.
Administrator privileges to Microsoft AD FS and G Suite are required for the following procedure.
Add and Configure AD FS as an Identity Provider
- Log into CloudGuard SaaS portal and go to Configuration under the module Identity Protection. Under the tab Identity Providers, click on Add Identity Provider.
- In the wizard that opens, select Microsoft Active Directory Federation Services and click Next.
- Enter your domain name and make sure the integration method chosen is Authentication service and click Next.
- Copy the Entity ID and the Reply URL to a text file and save them for later. Click Next.
- Upload your AD FS metadata xml file. It is usually available from a static URL similar to: https://domain/FederationMetadata/2007-06/FederationMetadata.xml
- Open the AD FS Management Tool of your primary AD FS server and add CloudGuard SaaS as a Relying Party Trust.
Please refer to this SK for a step-by-step process on how to add a Relying Party Trust in AD FS with the following modifications:
- For Windows Server 2012 R2
- In step # 6, use the name: CGS Authentication Service for the Relying Party Trust.
- In step # 9, select the Enable support for the SAML 2.0 WebSSO protocol checkbox. Enter the Reply URL copied from the CloudGuard SaaS portal in the Service URL field.
- In step # 10, for Relying party trust identifier enter the Entity ID copied from the CloudGuard SaaS portal.
- For Windows Server 2016
- In step # 6, use the name CGS Authentication Service for the Relying Party Trust.
- In step # 8, select the Enable support for the SAML 2.0 WebSSO protocol checkbox. Enter the Reply URL copied from CloudGuard SaaS portal in the Service URL field.
- In step # 9, for Relying party trust identifier enter the Entity ID copied from the CloudGuard SaaS portal.
- Click the CONNECT button. This will open an AD FS login form where you are prompted to enter your email address and password. After validation, you should see a Login Success message.
If an error is displayed before the credential validation stage, check the AD FS logs under Event Viewer\Applications\Service logs\AD FS\Admin.
If an error is displayed after the credential validation stage, the screen should indicate the nature of the error. If there is no detail, please contact Check Point support after verifying that the previous configuration steps were followed accurately.
- Click Finish to save your Identity Provider configuration and close the wizard.
Configure G Suite to use CloudGuard SaaS Authentication Service as Identity Provider
- In the CloudGuard SaaS portal, navigate to Configuration under Identity Protection. In the box corresponding to the Microsoft AD FS Identity Provider you just configured, click on Click to add SaaS.
- In the wizard that opens, select G Suite and click Next.
- Entity ID and Reply URL are pre-filled. Click Next.
- Copy and paste the Sign-in page URL and the Sign-out page URL to a text file and save for later. Download the certificate and click Finish to save and close the wizard.
- Log into the G Suite admin console. Click on Security.
- Scroll down to section 'Set up single sign on (SSO)' and expand it.
- Check the boxes 'Setup SSO with third party identity provider' and 'Use a domain specific issuer'.
- Upload the certificate downloaded in step 4 from the CloudGuard SaaS portal.
We recommend doing this before filling out the Sign-in page and Sign-out page URLs due to a randomly observed Google behavior that clears out the URLs after uploading the certificate.
- Fill out the Sign-in page URL and Sign-out page URL with the URLs provided by the Add Service Provider wizard in step 4.
You can leave empty the Change password URL. Click Save.
- You're done! All login requests to G Suite will now go through CloudGuard SaaS Authentication Service before reaching Microsoft AD FS. Login events will be shown in the CloudGuard SaaS portal under Identity Protection\Events.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.