Configuring Azure AD SSO with SAML 2.0 protocol

You can configure Azure AD Single Sign-On (SSO) to log in to the Forcepoint Security Manager.

Complete the following steps to configure Azure as a SAML identity provider.

Steps

  1. Sign into the Microsoft Azure portal.
    The default welcome page opens.
  2. From the Azure services section, click Enterprise applications.

    The All applications page opens.

  3. On the All applications page, click New application.

  4. Click Create your own application.

  5. Under the Create your own application dialog, do the following:
    1. In the What’s the name of your app? field, enter the name of the application, for example, FSM.
    2. Select the Integrate any other application you don’t find in the gallery (Non gallery) radio button.
    3. Click the Create button.

  6. Under the Getting Started section, in the Set up single sign on option, click Get started.

    The Single sign-on page opens.

  7. In the Select a single sign-on method section, click the SAML option.

    The SAML-based Sign-on dialog opens.
  8. Under the Set up Single Sign-On with SAML section in Azure AD portal, do the following:
    1. In the Basic SAML Configuration section, click the Edit button.
    The Basic SAML Configuration dialog opens.



    1. In the Identifier (Entity ID) section:
      1. Click the Add identifier button to add a new row.
      2. In the Identifier (Entity ID) field, enter the Entity ID.

        Example: {IP address}:{port}/manager (without "https://" prefix).

    2. In the Reply URL (Assertion Consumer Service URL) section:
      1. Click the Add reply URL button to add a new row.
      2. In the Reply URL (Assertion Consumer Service URL) field, enter the Assertion Consumer Service URL.

        Format: https://{IP address}:{port}/manager/rest/v1/sso/samlResponse

        Example: https://xx.xx.xx.xx:xxxx/manager/rest/v1/sso/samlResponse

    3. Ensure the Sign on URL field is empty.
    4. Click the Save button on the top left corner.

  10. In Forcepoint Security Manager, navigate to Global Settings > General, and select Single Sign-On.


    1. Select the Enable Single Sign-on with SAML 2.0 protocol option to enable the SSO feature.
    2. Copy Identifier (Entity ID) from your identity provider, for example Azure, and paste it into Audience Restriction URL in the Service Provider details section in Forcepoint Security Manager.
  11. Go back to Azure portal, in the Attributes & Claims section, click the Edit button on the top right corner.
    The Attributes & Claims page opens.

    1. Click Add new claim.

      The Manage claim page opens.

    2. Enter Name as email.
    3. In Source, turn on Attribute.
    4. In Source attribute, enter user.mail or select user.mail from the list.
    5. Click Save, and go back to SAML SSO page.

  12. Navigate to SAML Certificates, and then click Edit.

    Select Signing Option as Sign SAML response and assertion, and then click Save.

  13. Under the SAML Certificates section, from the Federation Metadata XML field, click the Download button.
    The Federation Metadata XML file starts to download.
  14. After a success message is prompted on the screen, open the Federation Metadata XML file in a notepad, and do the following:
    1. Copy the Federation Metadata XML certificate details from the notepad.
    2. In Forcepoint Security Manger, paste the copied details into X.509 Certificate field in the Single Sign-On page.
  15. From Azure portal, copy the Login URL and Microsoft Entra identifier from the Set up section.

  16. Paste the copied URL from previous step into the Identity provider Single Sign-On URL field and Identity provider issuer, respectively in the Identity Provider Configuration section in the Single Sign-On page of Forcepoint Security Manager.

    Click OK to save details.

  17. From Azure portal, click Change single sign-on mode

  18. Click Linked.

  19. From Forcepoint Security Manager, copy Assertion Consumer Service (ACS) URL from the Service Provider details section in the Single Sign-On page.
  20. Paste the Assertion Consumer Service (ACS) URL copied in previous step into the Sign on URL field in the Linked section in Azure portal.

  21. Remove Sign on URL from the Basic SAML Configuration section to avoid the IDP connection issue.

  22. On Azure portal, navigate to Users and groups, click Add user/group, and then select None Selected.
  23. Select the user which you want to assign, and select Select the role as user, and then click Assign.
  24. In Forcepoint Security Manager, navigate to Global Settings > General > Administrators, and then add user to EIP administrators.
    Note: To log in to the Forcepoint Security Manager using SAML SSO, users must be assigned to the Forcepoint Security Manager application in the Azure portal.
  25. To login into Forcepoint security Manager from Azure using SAML SSO, go to View account > My Apps, and then click the FSM application from Apps dashboard.

    When the user click on the newly added Forcepoint Security Manager application from the Azure account, the system redirects you to the Forcepoint Security Manager portal.