How to Configure SAML JIT for Check Point Harmony SASE

Item

Details

Pre-check

  • Prior configuration in Check Point Harmony SASE (hereafter Harmony SASE) is required.
  • Please refer to the manual provided by Check Point for the latest configuration steps.
Name ID Email address
Custom attribute Note: For how to configure custom attributes, see here
SP Configuration Configured by the administrator
Request SP to configure
Provisioning API-based Provisioning supported (account management available in TrustLogin)
SAML JIT Provisioning supported (account management available in TrustLogin; user deletion not supported)
None (accounts created in each system)
Access Method SP-Initiated SSO
IdP-Initiated SSO
Device Compatibility PC - Browser
PC - Desktop App
iOS - Default Browser (Safari)
iOS - TrustLogin Mobile App In-App Browser
iOS - Native App
Android - Default Browser (Chrome)
Android - TrustLogin Mobile App In-App Browser
Android - Native App
SAML Authentication Scope Enabled for all users (SAML authentication only)
Other: Enabled for all users (SAML authentication and password authentication can be used together)

Notes

Table of Contents:

Prerequisites

TrustLogin Admin Page Settings

Harmony SASE Settings

TrustLogin User Settings

Login Method

Prerequisites

Note: If you do not need to sync Harmony SASE groups with TrustLogin groups, this configuration is not required. Please proceed to the next section.

Create groups in TrustLogin that map to Harmony SASE groups, and assign members to them. The group names in Harmony SASE and TrustLogin must match.

For how to create groups and assign members, please refer to the following page.
Register a Group

[Configuration Example]

If the group names in Harmony SASE are "test1" and "test2", create groups with the same names "test1" and "test2" in TrustLogin and assign members.

  • Harmony SASE group settings
    001.png
  • TrustLogin group settings
    002.png


With this setup, when users in the "test1" or "test2" groups in TrustLogin perform SAML SSO to Harmony SASE, they will automatically be added to the corresponding "test1" or "test2" groups in Harmony SASE.
If a member is removed or moved from a group in TrustLogin, they will also be removed or moved from the corresponding group in Harmony SASE after SAML SSO.

TrustLogin Admin Page Settings

  1. Log in to TrustLogin, open the "Admin Page > App" menu, and click the "Register SAML App" button in the upper right of the screen.
    jit01.png
  2. Configure the "Application Name" and "Icon" (optional).
    02.png
  3. Copy and note down the "Identity Provider URL" value under "Identity Provider Information", and download the certificate by clicking the "Get Certificate" button.
    03.png
  4. Configure "Service Provider Settings" as follows.
    The values to enter differ depending on the region of your Harmony SASE instance.
    Replace {{WORKSPACE}} with your Harmony SASE Workspace name.

    Example: If the region is EU and the Workspace is "gmo-globalsign.eu.sase.checkpoint.com"
    Entity ID: urn:auth0:eu-sase-checkpoint:gmo-globalsign-oc
    ACS URL: https://auth.eu.sase.checkpoint.com/login/callback?connection=gmo-globalsign-oc

    Entity ID 【US】 urn:auth0:perimeter81:{{WORKSPACE}}-oc

    【EU】 urn:auth0:eu-sase-checkpoint:{{WORKSPACE}}-oc

    【AU】urn:auth0:qsase-au:{{WORKSPACE}}-oc

    【India】urn:auth0:qsase-in:{{WORKSPACE}}-oc
    ACS URL 【US】https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc

    【EU】https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc
    04.png
  5. Click the "Specify Custom Attributes" button under "SAML Attribute Settings", then click "Add SAML Attribute" to add rows (attributes) and configure them as follows.
    Note: The "groups" row is only required if you are syncing groups. It is not needed if you are not syncing.

    Service Provider Attribute TrustLogin (IdP) Attribute
    Attribute Name Attribute Type Attribute Label Attribute Value
    email Basic email Member Email address
    given_name Basic given_name Member First Name
    family_name Basic family_name Member Last Name
    groups Basic groups Group Select the configured group names and add all of them using the "+" button
    05.png
  6. Click the "Save" button to save.

Harmony SASE Settings

  1. Open the Harmony SASE settings screen with an administrator account, and go to "Setting > Identity Providers". Click the "Add Provider" button.
    06.png
  2. Select "SAML 2.0 Identity Providers" and click "Continue" to proceed.
    07.png
  3. Configure each field as follows and click the "Done" button to save.

    Sign In URL The "Identity Provider URL" obtained from TrustLogin
    Domain Aliases The domain name used in users' email addresses
    X509 Signing Certificate The content of the "Certificate" obtained from TrustLogin


    08.png

On the "Identity Providers" screen, you can restrict login to SAML SSO only by turning off "Email and Password".
In that case, please make sure to switch only after SAML SSO authentication has been confirmed to work and users have been notified.
09.png

TrustLogin User Settings

① When a user adds the app from My Page

Note: The SAML app must be configured by an administrator in advance.

  1. Click the "Add App" button on "My Page".
  2. On the "Register App" screen, select the custom SAML app you created and click the "Next" button in the upper right of the screen.
  3. If you want to change the "Display Name", enter it and click the "Save" button.

② When an administrator adds members

  1. Search for and click the custom SAML app you created in the "Admin Page > App" menu.
  2. Click "Add Member", select the user to add from the member list, and click the "Save" button to add them.

Login Method

When logging in via SP-Initiated SSO from the login screen, or when logging in from the mobile app or desktop app, enter the Workspace name and select the region as needed, then click the "Sign in with SSO" button to proceed with SAML SSO login.

10.png

How to Configure SAML JIT for Check Point Harmony SASE

Item

Details

Pre-check

  • Prior configuration in Check Point Harmony SASE (hereafter Harmony SASE) is required.
  • Please refer to the manual provided by Check Point for the latest configuration steps.
Name ID Email address
Custom attribute Note: For how to configure custom attributes, see here
SP Configuration Configured by the administrator
Request SP to configure
Provisioning API-based Provisioning supported (account management available in TrustLogin)
SAML JIT Provisioning supported (account management available in TrustLogin; user deletion not supported)
None (accounts created in each system)
Access Method SP-Initiated SSO
IdP-Initiated SSO
Device Compatibility PC - Browser
PC - Desktop App
iOS - Default Browser (Safari)
iOS - TrustLogin Mobile App In-App Browser
iOS - Native App
Android - Default Browser (Chrome)
Android - TrustLogin Mobile App In-App Browser
Android - Native App
SAML Authentication Scope Enabled for all users (SAML authentication only)
Other: Enabled for all users (SAML authentication and password authentication can be used together)

Notes

Table of Contents:

Prerequisites

TrustLogin Admin Page Settings

Harmony SASE Settings

TrustLogin User Settings

Login Method

Prerequisites

Note: If you do not need to sync Harmony SASE groups with TrustLogin groups, this configuration is not required. Please proceed to the next section.

Create groups in TrustLogin that map to Harmony SASE groups, and assign members to them. The group names in Harmony SASE and TrustLogin must match.

For how to create groups and assign members, please refer to the following page.
Register a Group

[Configuration Example]

If the group names in Harmony SASE are "test1" and "test2", create groups with the same names "test1" and "test2" in TrustLogin and assign members.

  • Harmony SASE group settings
    001.png
  • TrustLogin group settings
    002.png


With this setup, when users in the "test1" or "test2" groups in TrustLogin perform SAML SSO to Harmony SASE, they will automatically be added to the corresponding "test1" or "test2" groups in Harmony SASE.
If a member is removed or moved from a group in TrustLogin, they will also be removed or moved from the corresponding group in Harmony SASE after SAML SSO.

TrustLogin Admin Page Settings

  1. Log in to TrustLogin, open the "Admin Page > App" menu, and click the "Register SAML App" button in the upper right of the screen.
    jit01.png
  2. Configure the "Application Name" and "Icon" (optional).
    02.png
  3. Copy and note down the "Identity Provider URL" value under "Identity Provider Information", and download the certificate by clicking the "Get Certificate" button.
    03.png
  4. Configure "Service Provider Settings" as follows.
    The values to enter differ depending on the region of your Harmony SASE instance.
    Replace {{WORKSPACE}} with your Harmony SASE Workspace name.

    Example: If the region is EU and the Workspace is "gmo-globalsign.eu.sase.checkpoint.com"
    Entity ID: urn:auth0:eu-sase-checkpoint:gmo-globalsign-oc
    ACS URL: https://auth.eu.sase.checkpoint.com/login/callback?connection=gmo-globalsign-oc

    Entity ID 【US】 urn:auth0:perimeter81:{{WORKSPACE}}-oc

    【EU】 urn:auth0:eu-sase-checkpoint:{{WORKSPACE}}-oc

    【AU】urn:auth0:qsase-au:{{WORKSPACE}}-oc

    【India】urn:auth0:qsase-in:{{WORKSPACE}}-oc
    ACS URL 【US】https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc

    【EU】https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc
    04.png
  5. Click the "Specify Custom Attributes" button under "SAML Attribute Settings", then click "Add SAML Attribute" to add rows (attributes) and configure them as follows.
    Note: The "groups" row is only required if you are syncing groups. It is not needed if you are not syncing.

    Service Provider Attribute TrustLogin (IdP) Attribute
    Attribute Name Attribute Type Attribute Label Attribute Value
    email Basic email Member Email address
    given_name Basic given_name Member First Name
    family_name Basic family_name Member Last Name
    groups Basic groups Group Select the configured group names and add all of them using the "+" button
    05.png
  6. Click the "Save" button to save.

Harmony SASE Settings

  1. Open the Harmony SASE settings screen with an administrator account, and go to "Setting > Identity Providers". Click the "Add Provider" button.
    06.png
  2. Select "SAML 2.0 Identity Providers" and click "Continue" to proceed.
    07.png
  3. Configure each field as follows and click the "Done" button to save.

    Sign In URL The "Identity Provider URL" obtained from TrustLogin
    Domain Aliases The domain name used in users' email addresses
    X509 Signing Certificate The content of the "Certificate" obtained from TrustLogin


    08.png

On the "Identity Providers" screen, you can restrict login to SAML SSO only by turning off "Email and Password".
In that case, please make sure to switch only after SAML SSO authentication has been confirmed to work and users have been notified.
09.png

TrustLogin User Settings

① When a user adds the app from My Page

Note: The SAML app must be configured by an administrator in advance.

  1. Click the "Add App" button on "My Page".
  2. On the "Register App" screen, select the custom SAML app you created and click the "Next" button in the upper right of the screen.
  3. If you want to change the "Display Name", enter it and click the "Save" button.

② When an administrator adds members

  1. Search for and click the custom SAML app you created in the "Admin Page > App" menu.
  2. Click "Add Member", select the user to add from the member list, and click the "Save" button to add them.

Login Method

When logging in via SP-Initiated SSO from the login screen, or when logging in from the mobile app or desktop app, enter the Workspace name and select the region as needed, then click the "Sign in with SSO" button to proceed with SAML SSO login.

10.png