Any SAML IdP: Configuring Forcepoint ONE SSE as a SAML SP
Use the configuration information to register Forcepoint ONE SSE as a SAML SP on other external SAML IdP.
Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML
assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.
The following metadata URL will be used to register Forcepoint ONE SSE as a service provider.
- SAML Metadata URL: https://portal.bitglass.com/sso/metadata/
- SAML ACS Endpoint: https://portal.bitglass.com/sso/acs/
Otherwise, refer to the table below for manual configuration of the SAML settings:
| SAML | Response Setting | Notes |
|---|---|---|
| SSO URL | https://portal.bitglass.com/sso/acs/ | Used also for Recipient URL and Destination URL. |
| Name ID Format | EmailAddress | |
| Entity ID | https://sso.bitglass.com | This is the default URL used for the first IdP added to Forcepoint ONE SSE. If
you add any subsequent URLs to Forcepoint ONE SSE, the Entity ID will be https://saml.bitglass.com/<character string> where
<character string> is a random generated set of characters Forcepoint ONE SSE will use to identify the IdP. Make sure you are copying the Entity ID from
the Forcepoint ONE SSE IdP setup page to get the right URL when setting up your
configuration in your external IdP. |
| Assertion | Signed, Not Encrypted | |
| Response | Not Signed, Not Encrypted | |
| relay_state | IdP initiate auth: bg_portal_login SP initiated auth: bg_saml_login |
For SP initiated auth, Forcepoint ONE SSE will set the relay_state parameter in the SAML request to bg_saml_login. The relay_state parameter should not be altered by the IdP. Refer to the Advanced IdP Settings to learn more about configuring the Default Relay State. |
| Signature Algorithm | RSA_SHA256 | |
| Digest Algorithm | SHA256 | |
| SAML Single Logout | Disabled | |
| Authentication Context Class | PasswordProtectedTransport | |
| Honor Force Authentication | No |