Configuring Okta to support Forcepoint ONE Platform as SAML SP

You can configure Okta to support Forcepoint ONE Platform as a SAML Service Provider. You should add Forcepoint ONE Platform as an application inside of Okta and then configure Okta as the external IdP inside of Forcepoint ONE Platform.

Before you begin

You will need access to both the Okta admin portal as well as the Forcepoint ONE Platform.

Steps

  1. Sign in to Forcepoint ONE Platform.
  2. From the application waffle, select Admin.
  3. From the left Navigation Pane, click the SAML icon.

    The following page opens displaying existing SAML Profiles.



  4. To add a new SAML Profile, click +Add SAML Profile.

    The Add SAML Profile opens on the right pane.



  5. Under the General Details section:
    1. Enter an unique IDP Code and Description.
      Note: The IDP Code is required. The profile cannot be saved without a code.
    2. To the SAML Profile, click Save.

      The SAML profile gets created.



      The Add SAML Profile pane also displays ACS URL, and Logout Response URL read-only fields under the General Details section along with an additional section, IDP Metadata.

      • ACS URL - The URL location where the SAML assertion is sent with an HTTP POST.
      • Logout Response URL - The URL location on the service provider where the identity provider sends its sign out response.
  6. Open a new browser window/tab and login to Okta as an administrator.
  7. In the Admin Console, navigate to Applications > Applications and then click Create App Integration.


    The Create a new app integration pop-up opens displaying the available sign-in methods.

  8. Select SAML 2.0 as the Sign-in Method for the Forcepoint ONE Platform and click Next.


    The Create SAML Integration page opens.



  9. On the General Settings tab:
    1. In the App name field, enter the application name to distinguish the application.
    2. Upload an App logo if required.
    3. Click Next to view Configure SAML settings.
  10. Under the SAML Settings section:
    1. In the Single sign-on URL field, enter the ACS URL copied from step 5b.


    2. Make sure Use this for Recipient URL and Destination URL checkbox is checked as the same URL is used as recipient URL and destination URL.
    3. In the Audience URI (SP Entity ID) field, enter the IDP Code copied from step 5b.
    4. Under Attribute Statements (optional), add the following custom attribute statements for the integration.
      Name Name format Value
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name URI Reference user.displayName
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress URI Reference user.email
    5. Under Group Attribute Statements (optional), add the following group attribute statements for the integration.
      Name Name format Value
      http://schemas.xmlsoap.org/claims/Group URI Reference Name of the group which you want to configure with the profile
    6. Click Next to view the Feedback tab details.
  11. On the Feedback tab, select I'm an Okta customer adding an internal app radio option and then select This is an internal app that we have created checkbox as App Type.


  12. Click Finish to create the custom application.

    The Custom application opens displaying Sign On tab.



  13. On the Assignments tab, click Assign > Assign to People or Assign to Groups to assign the application to the appropriate users or groups.


  14. Back on the Forcepoint ONE Platform browser window/tab, select the specific SAML profile from the list which you want to edit. This opens the editor.
  15. On the IdP Metadata section, select the IDP Metadata URL option from the IdP Metadata drop-down to pull metadata details from Okta.
    1. Copy the Metadata URL from the SSO tab (Step 12) and paste the URL in the Metadata URL field.
    2. To pull the metadata based on url, click Get Metadata.

      After clicking Get Metadata, other fields are auto-populated.



    3. Click Save to save the changes.
  16. Set Okta as default IdP, if required.
    Enforce users from the specific username domain to get authenticated by the selected Okta IdP. To configure username domain, refer to Adding a new username domain.
  17. Test the configuration by opening a new browser window (or incognito window) and attempt to login to Forcepoint ONE Platform as one of the Okta assigned users.

    You should be redirected to the Okta login page where you need to enter credentials before being redirected back to Forcepoint ONE Platform.