Okta: Configuring Forcepoint ONE SSE as a SAML SP

You can configure Okta to support Forcepoint ONE SSE as a SAML Service Provider. Admin can use the registered application available in Okta for easy configuration.

Forcepoint ONE SSE provides a predefined app within Okta for quick setup. However, the predefined app should only be used if Okta is your first IdP that you are adding to Forcepoint ONE SSE and you do not intend to customize SAML parameters or add custom SAML attributes.

When adding an external IdP to Forcepoint ONE SSE, the first IdP that is created will have an Entity ID of https://sso.bitglass.com. This will work fine if you are deploying Forcepoint ONE SSE and Okta is the first IdP that you are adding to Forcepoint ONE SSE. However, if you create or add a secondary IdP to Forcepoint ONE SSE, the Entity ID will be https://saml.bitglass.com/<string> where the <string> is a randomly generated value that tells Forcepoint ONE SSE which tenant and email domain the assertion is valid for. The Forcepoint ONE SSE default app inside of Okta does not allow you to change the Entity ID which is configured as https://sso.bitglass.com.

If Okta is not the first IdP that you are adding to Forcepoint ONE SSE, then you will need to change the Audience URI (SP Entity ID) field to https://saml.bitglass.com/<string> that you find on Forcepoint ONE's SAML Authentication page.

Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.