Administrator single sign-on

The Administrator single sign-on feature allows portal users to sign in to the Security Portal using a supported third-party identity provider. When enabled, this feature applies to all contacts.

Before enabling this feature, you must configure the details for your identity provider on the Account > Administrator Single Sign-On page. You must also configure your third-party identity provider to provide the cloud portal with sign-on authentication for your administrators.

To configure administrator single sign-on:

Steps

  1. Go to Account > Administrator Single Sign-On.
  2. Mark Use identity provider for administrator single sign-on.
  3. From the Identity provider drop-down, select SAML 2.0 Compliant Identity provider.
  4. To enable your identity provider to work with administrator single sign-on, you must provide metadata from your product.
    • If you select URL, locate the URL of your identity provider’s metadata and enter it in the field provided.
    • If you select File upload, click Browse to locate the exported metadata file from your identity provider.

      If you have previously uploaded a metadata file, the file name and date and time of upload are displayed on the page.

  5. Use the links provided in Download Links to get the details needed to fully configure administrator single sign-on.
    1. In order for the cloud portal to talk to your identity provider, you must upload cloud service SAML metadata to your product. Click the Metadata link to download this data file.
    2. Click the Root Certificate link and save the certificate file to a location on your network.
  6. Click Save.

    When you click Save, the specified metadata source is validated. If it is found to be invalid, the cloud portal displays an error and restores the previous configuration. This means:

    • Reverting to the previous metadata source if one was configured
    • Disabling the Use identity provider for single sign-on check box if you are configuring single sign-on for the first time.

Next steps

Once you have completed the setup on this page, you must do the following to complete single sign-on activation:

  • Add the downloaded SAML metadata file to your identity provider.
  • Deploy the root certificate to administrator’s machines, using your preferred distribution method such as Group Policy Object (GPO).
  • Select the required Login option to enable SSO as an administrator authentication mechanism. See Login optionsfor more information.

When configuring your identity provider for administrator single sign-on, use the following URL to obtain the Forcepoint metadata:

https://admin.forcepoint.net/login/saml.xml

Note that this metadata source is different from the metadata source for end-user single sign-on provided on the Web > End User Single Sign-On page.

You can configure your identity provider to fetch this metadata dynamically using this URL, or save the page as an XML file, and upload it to your identity provider.

Important: When using the SSO related login options, you must access the portal with the following link https://admin.forcepoint.net/portal.