Configuring SAML Profile with Google Workspace

This process includes creating a custom SAML app in the Google Admin console, and mapping user attributes to enable secure, seamless authentication across services.

  1. Create a new SAML profile in Forcepoint Data Security Cloud. Refer to Creating a new SAML profile section.
  2. Create a custom app in Google Workspace.
    1. Navigate to Apps > Web and mobile apps and select Add app > Add custom SAML app.

    2. Provide a name and description to custom app and click CONTINUE.

    3. Click the DOWNLOAD METADATA button to download the IdP configuration and click CONTINUE.
      Note: This file will be uploaded to the Data Security Cloud SAML profile at a later stage.

    4. Copy the ACS URL from the SAML Profile, within the Forcepoint Data Security Cloud.

    5. Go back to the Google Workspace Admin, custom app setup and paste the copied ACS URL.

    6. Enter the Entity ID.
      Note: The Entity ID must match the IDP Code from your Forcepoint SAML ID.
    7. Select Signed Response (Not mandatory but good practice).
    8. Choose EMAIL for the Name ID format.
    9. Choose Basic information>Primary email for Name ID and click CONTINUE.
    10. Add Attribute mappings as below and click FINISH.
      Table 1. Attributes
      Google directory attributes App attributes
      Primary email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      First name firstName
      Last name lastName
      Table 2. Group membership (optional)
      Google Groups App attribute
      [Group name] http://schemas.xmlsoap.org/claims/Group

    11. Forcepoint custom app is now created as below.

    12. Select View details to edit and ensure user access is ON for everyone.

  3. Now go to Forcepoint Data Security Cloud SAML profile and choose IDP Metadata File for the IDP Metadata field.

  4. Select Browse to upload the Metadata file you downloaded earlier [See 2(c)]. The SAML configuration will automatically be completed with the uploaded metadata and click Update.

  5. Now configure Forcepoint Data Security Cloud to use SAML for Authentication.
    1. Navigate to Settings > Authentication.
    2. Enable Always check for local user.
    3. Select SAML as Default Identity Provider.
    4. Select the Entity ID of the SAML profile you have created.
    5. Click Save.

User Provisioning

For each SAML profile, be sure to set the Tenant provisioning to SCIM or SAML, depending on your set up to avoid duplicate users being created on Authentication.

This setting is available under the SAML Profile properties.