Microsoft Entra ID: Configuring Forcepoint ONE Platform as a SAML SP

You can set up Microsoft Entra ID as an IdP within Forcepoint ONE Platform. This setup will work to configure SAML SSO proxy authentication with any apps outside of Microsoft apps.

Attention: Azure Active Directory (AD) is renamed as Microsoft Entra ID.

Steps

Sign in to Forcepoint ONE Platform.
From the application waffle, select Admin.
From the left Navigation Pane, click the SAML icon.

The following page opens displaying existing SAML Profiles.
To add a new SAML Profile, click +Add SAML Profile.

The Add SAML Profile opens on the right pane.
Under the General Details section:
1. Enter an unique IDP Code and Description.
  
  Note: The IDP Code is required. The profile cannot be saved without a code.
2. To the SAML Profile, click Save.
  The SAML profile gets created.
  
  The Add SAML Profile pane also displays ACS URL, and Logout Response URL read-only fields under the General Details section along with an additional section, IDP Metadata.
  - ACS URL - The URL location where the SAML assertion is sent with an HTTP POST.
  - Logout Response URL - The URL location on the service provider where the identity provider sends its sign out response.
Open a new browser window/tab and login to Azure admin portal.
Navigate to Microsoft Entra ID > Enterprise Applications.
On the Enterprise Applications page, select All applications and then click New application.
On the Browse Microsoft Entra Gallery page, click Create your own application.
On the Create your own application dialog that appears on the right:
1. Enter a recognizable application name.
2. Ensure Integrate any other application you don't find in the gallery (Non-gallery) is selected.
3. Click Create.
Wait for the application to get created.
On the newly created app page, select Assign users and groups and assign the users/groups that will be accessing apps and authenticating through Forcepoint ONE Platform.

Note: Forcepoint ONE Platform UI supports UTF-8 characters. However, the SAML assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.
Once you have assigned your users/groups, select Set up single sign on and then click SAML.
On the Set up Single Sign-On with SAML page:
1. In the Basic SAML Configuration section, click Edit.
2. In the Identifier (Entity ID) section:
  - Click the Add identifier button to add a new row.
  - Copy the IDP Code value (Step 5b) from Forcepoint ONE Platform and paste it to the Identifier (Entity ID) field in Azure.
3. In the Reply URL (Assertion Consumer Service URL) section:
  - Click the Add reply URL button to add a new row.
  - Copy the ACS URL value (Step 5b) from Forcepoint ONE Platform page to the Reply URL (Assertion Consumer Service URL) field in Azure.
4. Click the Save button on the top left corner.
5. In the SAML Certificates section, if you have not created a SAML Signing Certificate already, you will need to create one.
  If you have already created one, skip to next step. Otherwise, click Add a certificate and then in the new tab window that appears, click New Certificate. Then set the fields as below and Save.
  - Signing Option: Sign SAML assertion
  - Signing Algorithm: SHA-256
6. Click the Save button on the top.
  
  Created certificate gets displayed as follows:
Back on the Forcepoint ONE Platform browser window/tab, select the specific SAML profile from the list which you want to edit. This opens the editor.
On the IdP Metadata section, select one of the following option from the IdP Metadata drop-down to define how Forcepoint ONE Platform gets the SAML identity provider metadata.
- Manual (default) - Select the Manual option to manually enter all the required metadata information.
- IDP Metadata URL - Select the IDP Metadata URL option to pull IdP metadata information from an URL.
- IDP Metadata File - Select the IDP Metadata File option to pull IdP metadata information from an XML file.
If you have selected IDP Metadata File from the IdP Metadata drop-down, then follow the below steps:
1. To download SAML identity provider Metadata in XML format, click the Download link adjacent to the Federation Metadata XML field under the SAML Certificate section (of Step 13f).
2. Click Browse and select the XML certificate that you just downloaded in Forcepoint ONE Platform.
  
  After uploading metadata file, other fields are auto-populated.
If you have selected IDP Metadata URL from the IdP Metadata drop-down, then follow the below steps:
1. Copy the App Federation Metadata Url from Step 13f and paste the url in the Metadata URL field.
2. To pull the metadata based on url, click Get Metadata.
  
  After clicking Get Metadata, other fields are auto-populated.
If you have selected Manual from the IdP Metadata drop-down, then follow the below steps:
1. From the Step 13f, click the Download link adjacent to the Certificate (Base64) field from Azure.
  
  A certificate with base 64 gets downloaded.
2. Open the certificate in text editor.
3. Copy content between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- sections and paste in the IDP Certificate field in Forcepoint ONE Platform.
4. Copy over the Login URL from Azure to the End-point URL field in Forcepoint ONE Platform.
5. Copy over the Microsoft Entra Identifier from Azure to the Issuer URL field in Forcepoint ONE Platform.
6. Copy over the Logout URL in Azure to the Single Log-out URL field in Forcepoint ONE Platform.
Click Save on both pages of setup.

Attention: To login to the Forcepoint ONE Platform using SAML SSO, provide access to users to the Forcepoint ONE Platform within Azure app permission. If users have no designated permission, they will encounter an error while logging in.

Next steps

Now you are set to use Microsoft Entra ID as the IdP to login to Forcepoint ONE Platform.
Now you can enforce users from the specific username domain to get authenticated by the selected Microsoft Entra ID IdP. To configure username domain, refer to Adding a new username domain.