This documentation has been tested and approved by Kelvin Zero's team

This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Checkpoint using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.

In order to set up Multi-Pass with Checkpoint, you need to be sure that you meet the requirements below: 

1. MPAS: Admin rights 
   
2. Checkpoint: Admin rights

Configuring Checkpoint

• From your dashboard, hover over the gear icon in the blue banner and select “Identity and Access.”

• In the Identity Providers section, click ”+” to start the SSO configuration process.

• In the pop-up, choose a name for the “Integration Title,” select “Generic SAML Server,” and click “Next.”

• Depending on your needs, select one of the two integration types. For this documentation, we will follow “Login based on domain verification.”

• In “Services Integration,” select the option that best suits your requirements, then click “Next.”

• Verify your domain by following the provided instructions. Once you have added your domain (e.g., company.com), click “Next.”

• Once in the “Allow Connectivity” section, open MPAS in another window to configure it for Checkpoint.

• Copy and paste the “Entity ID,” “Reply URL,” and “User ID” as required.

• In MPAS, select the correct deployment, then click “Admin Console.”

• In the left column, click “Clients,” then select “Create a Client.”

• Fill in the required fields and click “Next.”

      * Client type = SAML 

      * Client ID = Entity ID from Checkpoint (e5db4fc1-d182-4594-a287-ffd92adb5c36.ca.portal.checkpoint.com)

      * Name = for example "checkpoint" 

      * Description = for example "SSO integration checkpoint" 

      * Always display in UI = ON

• Once completed, additional fields will appear. Fill in the required information.

      * Home URL = https://ca.auth.kzero.com/realms/<Realm name>/protocol/saml/clients/checkpoint

      * Valid redirect URIs = Reply URL from Checkpoint (https://cloudinfra-gw.ca.portal.checkpoint.com/api/saml/sso)

      * IDP-Initiated SSO URL name = checkpoint

      * Name ID format = email 

      * Force POST binding = ON

      * Include AuthnStatement = ON
      * Sign assertions = ON

• Click “Save.
• At the top of the page, select the “Keys” tab. Ensure both “Signing Keys Config” and “Encryption Keys Config” are turned off.
• Go to the “Advanced” tab and copy the Reply URL from Checkpoint into the field labeled “Assertion Consumer Service Redirect Binding URL.”

• Now, go to the “Client Scopes” tab.

• Click on the first line, then select “Add Mapper.”

• Choose “By Configuration.”

• Select “User Attribute” and fill in the required fields.

      * Name = User Id
      * User attribute = Username
      * SAML Attribute Name = based on Checkpoint (urn:mace:dir:attribute-def:userId)

• Click “Save.”

• MPAS is almost fully configured. Now, you need to retrieve the metadata file for Checkpoint.

• In the left column, click “Realm Settings.”

• Scroll down and click “SAML 2.0 Identity Provider Metadata.”

• A new window will open. Right-click on the first line and save it as an XML file.

• Go back to Checkpoint and click “Next.”

• In the “Configure and Test” section, click “Select File,” then upload the XML file you just saved.

• Click “Run Test.”

• The configuration was successful. Click “Apply.”