Google Workspace: Deploying Forcepoint ONE SSE as a SAML IdP

This page will guide you through configuring Forcepoint ONE SSE as a SAML Identity provider for Google Workspace single sign-on (SSO) authentication. This will ensure visibility and access control of Google Workspace via Forcepoint ONE SSE CASB.

Before you begin

You will need some of the SAML information from Forcepoint ONE SSE, otherwise the majority of the configuration will take place inside of the Google Admin portal.

Steps

  1. Start by logging into the Forcepoint ONE SSE admin portal and navigate to Protect > Policies and click on Google Workspace to get to the Google Workspace settings page.


  2. On the settings page you will first need to select the App instance to enable SAML SSO for Web, Client Apps.




    Note: The Google Workspace tile will be hidden from User Portal when the SAML SSO is disabled in the Google Apps Instance dialog.
  3. Back on the Google App settings page, select Setup Web SSO and keep this page open as you will need the information from this page.




  4. Open a new browser window or tab:
    • Open any Google App and then navigate to Google apps > Admin to open Google Admin portal.


      OR

    • Login directly to https://admin.google.com.
  5. On the left navigation pane, navigate to Security > Authentication > SSO with third party IdP page and then click on Third-party SSO profile for your Organization section to edit the fields.


  6. Follow the below steps:
    1. Check the Setup SSO with third party identity provider checkbox. Now we will be copying the options from the page we opened in step 3 above over to Google.
    2. Copy the Login URL from the Forcepoint ONE SSE admin portal and paste it into the Sign-in page URL field.
    3. Copy the Login URL from the Forcepoint ONE SSE admin portal and paste it into the Sign-in page URL field.
      Note: In some scenarios, you may want users to be logged out of both Forcepoint ONE SSE and an external IdP when clicking the logout link in the application. To accomplish this, use https://portal.bitglass.com/accounts/logout/ as the Logout URL instead of the default of https://portal.bitglass.com/portal/
    4. Make sure you click Save before moving on to the next step to upload the certificate.
    5. Click the Replace certificate link.
      1. Login to: https://portal.bitglass.com and then click the following download cert link to download a token signing certificate.
      2. Select the downloaded certificate in the open Upload certificate file chooser.
    6. Check the Use a domain specific issuer checkbox.
    7. Clear the Network masks field since the Forcepoint ONE SSE cloud service will now be the identity provider for SSO.
    8. Copy the Password Change URL from the Forcepoint ONE SSE admin portal (from start of instructions) and paste it into the Change password URL field.
    9. Click Save.