Configure identity management
Steps
- On the main menu bar, click Account.
- Click Identity Management.
-
Check the Enable identity management box.
- Click Directory Synchronization Client to use an LDAP directory.
You cannot connect the Synchronization Client to the cloud without doing so, even if you have a valid username and password.
- Click SCIM Integration (cloud web only) to use a cloud-based identity provider.
- Because you are provisioning user and group data, you can manage policy membership through group membership. Select from the Default user policy drop-down the web policy to which you want to assign users if they have no group-based policy assignment already. By default, the first policy in the list is chosen.
- Click Directory Synchronization Client to use an LDAP directory.
-
If you selected Directory Synchronization Client, Directory Synchronization Settings display.
- Select Overwrite groups to overwrite current groups with the provisioned groups when there is a group name conflict.
If you are a new customer with no group data in the cloud, leave this box unchecked.
If you have existing data, check this box if you want to overwrite current groups with the provisioned groups when there is a group name conflict.
Users, groups, and email addresses are overwritten by LDAP data of the same name. Once this occurs, they are manageable only by LDAP synchronization.
If you are switching to LDAP for the first time, take care to match your LDAP group names and membership to the existing setup. Doing so allows existing policy selections and settings to be maintained, as well as existing usernames/ passwords where applicable.
If you have duplicate names, you have 2 options: make sure the duplicate can be overwritten or don’t allow overwriting and rename the duplicates to avoid a conflict.
If you don’t select this option and duplicate names are found, the transaction is rejected. In the cloud, you receive the error “403: Attempt to overwrite portal-managed group ‘nnnn’.” On the client, you receive “Error communicating with the Hosted Service portal. Update abandoned.”
Under Web:
- Specify whether you want the User policy assignment to be fixed after the initial user provisioning, or if you want the service to check the group
policy membership every time users are provisioned or group policy assignments are changed in the cloud.
- Select Fixed if you want to manage policy assignments in the cloud. When this option is selected, the service makes a policy assessment for an individual user only when that user first appears in the system (in other words, is synchronized for the first time). It either assigns the user a group- based policy or the default policy specified above. If you want to move someone to a new policy, you need to do so in the cloud.
- Select Follow group membership if you want users’ policy assignments to change automatically when there are changes to their group membership. If you move someone to another group, he or she moves to a different policy. This is the default.
- Select one of the Email settings radio buttons to indicate whether you want email sent to new end users to notify them that they are now protected by
the cloud service.
You can select to Email all new users, only those who do not have an NTLM identity, or no one.
Be aware that sending to end users could flood your email servers with messages and slow down performance. You’re asked to confirm this decision. We recommend you do this at a quiet time.
- Choose which Email template you want to use to notify end users of their enrollment in the cloud service. Initially, only the default message is offered, but you can create custom notifications if desired. See Configure block and notification pages for more information.
- For Sender’s address, enter the address from which you want notification messages sent to new users.
Under Email:
- (Quarantine/discard/bounce) mail for unknown users. This determines what happens to email arriving at the cloud service that is sent to an unknown
email address. By default it is quarantined.
Check this box if you want the message handled in this way. Leave it unchecked if you do not.
Only Forcepoint Technical Support can modify the disposition of this option.
Occasionally customers cannot enable or disable this option. This happens when addresses have not been synchronized, a similar access control has been manually added to your policy, or Customer Services has explicitly turned it off.
- Select Overwrite groups to overwrite current groups with the provisioned groups when there is a group name conflict.
-
If you selected SCIM, configuration details required to connect your identity provider to the cloud service are provided.
- The Base URL is used to allow your identity provider to access the cloud service. Use the copy option provided to easily paste the URL into the appropriate configuration page for your provided.
- The Bearer token provides an unique authentication key used to authorize requests to the cloud service. Click Generate New Token to generate the key and then use it when configuring your identity provider.
Note that Overwrite groups and Follow group memberships, configurable when Directory Synchronization is selected, are automatically applied when SCIM is selected.
Important: When you generate a new token, it will be displayed only once. Ensure you make a note of the token. When you generate a new token, any existing token will become invalid. If you have an existing token in use, it will need to be replaced with the new token. -
Click Save when done.
Note: You can turn off identity management any time and revert to managing all users, groups, and email addresses in the cloud. If you plan to do this, please see Turn off identity management for possible considerations.