ADFS: Configuring Forcepoint ONE Platform as a SAML SP

You can configure Active Directory Federation Services (ADFS) to support Forcepoint ONE Platform as a SAML Service Provider.

Before you begin

Before you start, make sure you have all of your user's attributes filled out in Active Directory to ensure all of the needed information is pulled over to Forcepoint ONE Platform. This includes ensuring the fields for their name/UPN/Email/ObjectGUID are all filled out.

It is also helpful to have a web browser window opened and logged into Forcepoint ONE Platform since some steps will require information you can copy over from Forcepoint ONE Platform. You will also need to configure the IdP object towards the end of the setup in Forcepoint ONE Platform once you have completed the setup in your AD FS server.

Steps

  1. Sign in to Forcepoint ONE Platform.
  2. From the application waffle, select Admin.
  3. From the left Navigation Pane, click the SAML icon.

    The following page opens displaying existing SAML Profiles.



  4. To add a new SAML Profile, click +Add SAML Profile.

    The Add SAML Profile opens on the right pane.



  5. Under the General Details section:
    1. Enter an unique IDP Code and Description.
      Note: The IDP Code is required. The profile cannot be saved without a code.
    2. To the SAML Profile, click Save.

      The SAML profile gets created.



      The Add SAML Profile pane also displays ACS URL, and Logout Response URL read-only fields under the General Details section along with an additional section, IDP Metadata.

      • ACS URL - The URL location where the SAML assertion is sent with an HTTP POST.
      • Logout Response URL - The URL location on the service provider where the identity provider sends its sign out response.
  6. Place your mouse pointer on the icon and then click Download.


    A metadata file gets downloaded. Use the same metadata file while configuring identity provider.

  7. From the IdP Metadata section, select the Manual option from the IdP Metadata drop-down to enter metadata and certificate details manually.


  8. Open a new browser window/tab and login to Azure admin portal.
  9. Login to your server and start AD FS Management.


  10. From the Actions pane, click Add Relying Party Trust… to start a configuration wizard.


    The Add Relying Party Trust Wizard opens.



  11. On the Welcome tab, make sure Claims aware is selected and click Start.
  12. On the Select Data Source tab:
    1. Select the Import data about the relying party from a file option.
    2. Click Browse to select the metadata file that you downloaded in step 6.


    3. Click Next to view the Specify Display Name tab.
  13. On the Specify Display Name tab, enter a Display name and click Next.


  14. On the Choose Access Control Policy tab, make sure that the Permit everyone option is selected and click Next.


  15. On the Ready to Add Trust tab, review the settings on each sub-tab and then click Next to complete the wizard.


  16. On the Finish tab, ensure that the Configure claims issuance policy for this application checkbox is selected and click Close.


    The relying party trust gets created and displayed under the AD FS > Relying Party Trusts on Console Tree. Also, opens the Edit Claim Issuance Policy dialog.

  17. If the Edit Claim Issuance Policy dialog is closed, select the relying party that you have created from the Relying Party Trusts page and select Edit Claim Issuance Policy from the Actions pane.


  18. On the Edit Claim Issuance Policy dialog, click Add Rule ....


    The Add Transform Claim Rule Wizard dialog opens.

  19. On the Choose Rule Type tab, verify that the Claim rule template is set to Send LDAP Attributes as Claims and then click Next.


  20. On the Configure Claim Rule tab:
    1. Enter Claim rule name.


    2. Select Active Directory as the Attribute store.
    3. Select the following required LDAP attributes and their values.
      LDAP Attributes Outgoing Claim Type
      User-Principal-Name Name ID
      Is-Member-Of-DL Group
      Display-Name Name
      E-mail-Addresses E-Mail Address
    4. Click Finish to save the policy.
      The Edit Claim Issuance Policy dialog displays newly added policy.
    5. To close the Edit Claim Issuance Policy dialog, click OK.
  21. Export the token-signing certificate from ADFS to upload into Forcepoint ONE Platform.
    1. In ADFS, expand Service > Certificates.


    2. Under Token-signing section, right-click the certificate and select View Certificate.
    3. On the Details tab, click Copy to File... to open the Certificate Export Wizard.
    4. Click Next.
    5. On the Export File Format window, select the Base-64 encoded X.509 (.CER) option and click Next.
    6. Specify a name for the file you want to export (for example, TokenSigningCert) and click Next and then click Finish to export the file.
      A message is displayed stating The export was successful.
    7. Click OK to dismiss the message.
    8. Open the certificate in text editor.
    9. Copy content between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- sections and paste in the IDP Certificate field in Forcepoint ONE Platform (step 7).
  22. Right-click on AD FS top level folder and then click the Edit Federation Service Properties… menu item.


    1. Copy the Federation Service Name and paste it into End-point URL of the SAML setup in Forcepoint ONE Platform (Step 7).


    2. Copy the Federation Service identifier and paste it into the Issuer URL of the SAML setup in Forcepoint ONE Platform (Step 7).
  23. Navigate to Service > Endpoints and find the URL Path of the SAML 2.0/WS-Federation type under Token Issuance.

    Append the End-point URL in Forcepoint ONE Platform (Step 7) with URL Path.



  24. On the Forcepoint ONE Platform windows/tab, click Save to save the IdP configuring.