Hello,
I have followed the procedure in the following link to create the application in the Identity Center: https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html
I have also followed a similar procedure to integrate it with the Checkpoint VPN: https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/
Regarding Checkpoint, I have used the following procedure: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/SAML-Support-for-Remote-Access-VPN.htm
Specifically, I don't understand step 6 mentioned by Checkpoint, which involves Checkpoint accessing the user database in the Identity Center through that connection. The excerpt from step 6 is as follows:
Step 6: Configure the Group Authorization
Authorization is for these types of groups:
Identity Provider groups: The groups sent by the Identity Provider.
Internal groups: The groups received from User Directories configured in SmartConsole.
To configure the Identity Provider groups:
In the Identity Provider interface, configure roles.
In the Identity Provider interface, configure a SAML claim on the Identity Provider.
In SmartConsole, create an internal User Group object with this name (case-sensitive): EXT_ID_<Name_of_Role>. For example, for a role in the Identity Provider's interface with the name "my_group", create an internal User Group object in SmartConsole with the name "EXT_ID_my_group".
Note: Identity Tags are not supported for Remote Access connections.
Identity Provider groups and Internal groups (e.g., LDAP) are used for authorization.
Authorization types:
Remote Access VPN Community: Grants users access to Remote Access VPN.
Access Roles (requires the Identity Awareness Software Blade): Grants access to users according to policy rules and user identities.
To apply authorization by Remote Access VPN, add the applicable group to the Remote Access VPN.
To apply authorization by Access Roles, add the applicable group to an Access Role in the Access Control Policy.
The purpose of this configuration is to allow users connecting to the Checkpoint client VPN to log in with users from the Identity Center and use two-factor authentication to connect to the VPN.
Could you please assist me with this?
Thank you very much.
Kind regards.
AWS 官方已更新 1 年前