The Check Point integration enables biometric authentication via SAML 2.0 for Security Gateways, covering both Identity Awareness (captive portal) and Remote Access VPN (Mobile Access).
Integration type
SSO
Updated
Overview
1Kosmos integrates with Check Point Security Gateways as a SAML 2.0 identity provider, enabling users to authenticate biometrically through the 1Kosmos mobile app before accessing resources protected by Check Point Identity Awareness or Remote Access VPN. The integration covers both Identity Awareness (captive portal browser-based authentication) and Mobile Access (VPN authentication via Endpoint Security VPN or Secure Remote Access clients).
SAML identity provider configuration in Check Point is performed in SmartConsole. For each gateway and service combination, SmartConsole automatically generates a unique Entity ID and Reply URL.
These values are then entered into AdminX when adding Check Point as a SAML application. The 1Kosmos metadata or IdP values are imported into the Check Point Identity Provider object to complete the trust relationship.
For environments without an on-premises LDAP directory, a generic external user profile must be configured in SmartConsole to allow SAML-authenticated users without individual AD records to receive appropriate access policies.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Check Point SmartConsole access: SmartConsole R81 or later with access to Gateways and Servers and the Identity Awareness or Mobile Access blade enabled on the target Security Gateway.
Supported Check Point version: SAML identity provider support requires R81 or later for Identity Awareness. For Remote Access VPN (Mobile Access portal), confirm your gateway version supports SAML authentication via the Check Point release notes.
External user profile (if not using LDAP): A generic external user profile (
generic*) must exist in SmartConsole for SAML-authenticated users who are not in your on-premises directory.1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Check Point:
Field | Where to find it |
|---|---|
SAML Metadata XML or URL | AdminX → Settings → IdP Configuration → Metadata URL |
SSO Login URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values auto-generated by Check Point SmartConsole (SP) for AdminX:
Field | Pattern / Location |
|---|---|
Entity ID (Identity Awareness) | Auto-generated per gateway: |
Reply URL / ACS (Identity Awareness) | Auto-generated: |
Entity ID (Remote Access VPN) | Auto-generated: |
Reply URL / ACS (Remote Access VPN) | Auto-generated: |
Integration steps
Step 1: Create the Identity Provider object in SmartConsole
Open SmartConsole and navigate to the Gateways and Servers panel.
Click New → More → User/Identity → Identity Provider.
In the New Identity Provider window, select the target Security Gateway in the Gateway field.
In the Service field, select either Identity Awareness (for browser-based captive portal authentication) or Remote Access VPN (for VPN authentication). SmartConsole auto-populates the Identifier (Entity ID) and Reply URL fields specific to this gateway and service combination.
Copy the Identifier (Entity ID) and Reply URL values. You will need them when adding Check Point as a SAML application in AdminX.
Step 2: Enter 1Kosmos IdP details in SmartConsole
In the New Identity Provider window, under the Data received from the SAML Identity Provider section, select Import Metadata File and upload the 1Kosmos SAML metadata XML file.
Alternatively, select Insert Manually and enter the 1Kosmos SSO Login URL in the Login URL field, paste the 1Kosmos IdP Entity ID in the Entity ID field, and upload the 1Kosmos signing certificate file.
Click OK to save the Identity Provider object. Install the policy after saving to activate the configuration.
Step 3: Configure the Identity Provider as an authentication method on the gateway
In SmartConsole, open the Security Gateway object and navigate to Identity Awareness → Browser-Based Authentication → Settings.
In the Authentication Method section, select Identity Provider and click the green [+] button to select the 1Kosmos Identity Provider object you created.
For Remote Access VPN, navigate to the Mobile Access blade settings and assign the Identity Provider object as the authentication method for the relevant portal or profile.
Install the policy.
Step 4: Configure the external user profile (if not using LDAP)
If users are not in an LDAP directory connected to Check Point, configure a generic external user profile in Legacy SmartDashboard.
Navigate to Manage and Settings → Blades → Mobile Access → Configure in SmartDashboard.
Under the Users tab, right-click an empty area and select New → External User Profile → Match all users. Confirm the profile name uses the default
generic*.
Step 5: Add Check Point as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "Check Point" as the Application Name, set Instance to Production, and enter your Check Point captive portal or VPN URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail. Add claims foremail(Username). Click Next.Enter the Check Point Entity ID and Reply URL (ACS URL) values copied from SmartConsole in Step 1. Enable Assertion signing and click Save.
Step 6: Test the integration
Open a browser, navigate to your Check Point captive portal or VPN login URL, and initiate authentication.
Confirm you are redirected to the 1Kosmos login screen. Scan the QR code with the 1Kosmos mobile app and complete biometric authentication.
Confirm you are returned to the Check Point resource as an authenticated user.
Attribute mappings
Source (1Kosmos) | Target (Check Point) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary user identifier; must be in email format as required by Check Point SAML |
Integration notes
Check Point generates a unique Entity ID and Reply URL per gateway per service type. If you are enabling SAML for both Identity Awareness and Remote Access VPN on the same gateway, each service requires a separate Identity Provider object in SmartConsole and a separate SAML application entry in AdminX.
Identity tags can be used in Check Point Access Role matching if your identity provider sends group membership claims; create corresponding Identity Tag objects in SmartConsole for each group name received in the SAML assertion.
After any change to the Identity Provider object or policy, install the policy to push the updated configuration to the gateway.
