Configuring SAML SSO with Azure AD
Steps
- Sign into the Microsoft Azure portal. The default welcome page opens.
-
On the Azure services section, click the Azure Active Directory option. The Azure Active Directory page
opens.
-
From the left navigation pane, click the Enterprise applications option.
-
On the Enterprise applications page, from the top bar, click the New application button. The Browse Azure AD
Gallery page opens.
-
Click the Create your own application button.
-
Under the Create your own application dialog:
- In the What’s the name of your app? field, enter the name Forcepoint ONE Data Security.
- Select the Integrate any other application you don’t find in the gallery (Non gallery) radio button.
-
Click the Create button.
After a few minutes, a success message is prompted on the screen. The Forcepoint ONE Data Security application is created now.
- From the Forcepoint ONE Portal Enterprise Application page, on the left navigation pane select the Properties option.
-
Scroll down the Properties dialog, set the Visible to users? toggle button to No. Click the
Save button.
- From the left navigation pane, select the Overview option. The Overview dialog opens.
-
Under the Getting Started section, in the Set up single sign on option, click the Get started button. The
Single sign-on dialog opens.
-
In the Select a single sign-on method section, click the SAML option. The SAML-based sign-on dialog opens.
- Open the Forcepoint ONE Portal portal, navigate to Settings > Advanced > External Identity Providers.
- Set the toggle button to Enabled.
-
Under the STEP 1, you can copy the Single Sign On URL, Audience Restriction, and Tenant
ID details.
-
Under the Set up Single Sign-On with SAML section in Azure AD portal:
-
In the Basic SAML Configuration section, click the Edit button on the top right corner. The Basic SAML
Configuration dialog opens.
-
In the Identifier (Entity ID) section:
- Click the Add identifier button to add a new row.
- In the Identifier (Entity ID) field, enter the Audience Restriction copied from Step 15.
-
In the Reply URL (Assertion Consumer Service URL) section:
- Click the Add reply URL button to add a new row.
- In the Reply URL (Assertion Consumer Service URL) field, enter the Single Sign On URL copied from Step 15.
- Click the Save button on the top left corner.
-
In the Attributes & Claims section, click the Edit button on the top right corner.
-
On the Attributes & Claims dialog:
You must delete the last three lines highlighted in the following image.
- In the Additional claims section, select the
icon from a specific line, click the Delete button.
- On the Claim deletion dialog, click the OK button. Repeat step i and step ii to delete the other two
lines.
- Click the Add new claim button on the top bar, the Manage claim page opens.
- In the Name field, enter tenantId and in the Source attribute field, enter the Tenant
ID from the Forcepoint ONE Data Security cloud portal and click the Save button.
- Repeat step iii, in the Name field, enter name and in the Source attribute field, enter
user.displayName and click the Save button.
- In the Additional claims section, select the
-
Under the SAML Certificates section, from the Federation Metadata XML field, click the Download
button. The Federation Metadata XML file started to download.
-
In the Basic SAML Configuration section, click the Edit button on the top right corner. The Basic SAML
Configuration dialog opens.
- After a success message is prompted on the screen, open the Federation Metadata XML file in a notepad.
- Copy the Federation Metadata XML details from the notepad.
- Open your Forcepoint ONE Data Security portal, navigate to Settings > Advanced > External Identity Providers.
-
Under the STEP 2, in the IDP metadata field, enter the copied Federation Metadata XML details.
-
Click the Save button.
Note: To login to the Forcepoint ONE Portal cloud portal using SAML SSO, provide access to users to the Forcepoint ONE Portal application within Azure app permission. If users have no designated permission, they will encounter an error while logging in.