ADFS: Configuring Forcepoint ONE SSE as a SAML SP

You can configure Active Directory Federation Services (ADFS) to support Forcepoint ONE SSE as a SAML Service Provider.

Before you begin

Before you start, make sure you have all of your user's attributes filled out in Active Directory to ensure all of the needed information is pulled over to Forcepoint ONE SSE. This includes ensuring the fields for their name/UPN/Email/ObjectGUID are all filled out.

It is also helpful to have a web browser window opened and logged into the Forcepoint ONE SSE admin portal since some steps will require information you can copy over from the Forcepoint ONE SSE portal. You will also need to configure the IdP object towards the end of the setup in Forcepoint ONE SSE once you have completed the setup in your AD FS server.

Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.

Steps

  1. Login to your server and start AD FS 2.0 Management.


  2. Click Add Relying Party Trust… to start a configuration wizard.


  3. Configure Forcepoint ONE SSE SAML information. You can input this information via a metadata URL or can configure it manually. If configuring manually skip to step 4.
    1. Click Start on the ADFS Configuration Wizard, then select the Import data about the relying party published online or on a local network option. In Federation metadata address, enter the SAML Metadata URL (https://portal.bitglass.com/sso/metadata/). Click Next.


    2. Enter Bitglass SSO as the Display name and click Next.


    3. Choose Permit all users to access this relying party and click Next.


    4. Review the settings and then click Next to complete the wizard.
  4. Follow the steps below to configure manually:
    1. Select the Enter data about the relying party manually option and Click Next.


    2. On the next page, enter Bitglass SSO for the Display name and click Next.


    3. Click Next to skip the certificate section.
    4. On the Configure URL page, click Enable support for SAML v2.0 and enter the Forcepoint ONE SSE URL: https://portal.bitglass.com/sso/acs/. Click Next.


    5. On the Configure Identifiers page, you will need the SAML Entity ID from the Forcepoint ONE SSE portal. In your browser window, you have open and logged into the Forcepoint ONE SSE portal navigate to Protect > Objects > Common Objects and create a new External IdP object. On the new page, select ADFS from the IDP Type drop-down. Copy the SAML Entity ID, navigate back to the ADFS configuration window and paste the URL into the Relying Party Trust Identifier field and click Add. Once added, click Next at the bottom.






    6. On the Choose Access Control Policy page, select Permit Everyone and then click Next.


    7. Review your settings and then click Next.


    8. On the Finish page, ensure that the checkbox is checked for Configure claims issuance policy for this application and click Finish.


  5. Under Actions > Bitglass SSO, select Edit Claim Issuance Policy and then click Add Rule.


  6. On the Select Rule Template page, verify that the Claim rule template is set to Send LDAP Attributes as Claims and then click Next.


  7. Enter Claim rule name. Select Active Directory as the Attribute store. Enter the appropriate LDAP attribute values and then click Finish.


    • E-Mail-Addresses:Name ID
    • objectGUID:objectGUID
    • Given-Name:Given Name
    • Surname:Surname
    • User-Principal-Name:UPN
    • SAM-Account-Name:SAMAccountName

    Optional fields can be used to populate additional user account attributes and are desirable in the following scenarios:

    • ObjectGUID attribute is required if you are setting up O365 with Forcepoint ONE SSE.
    • User Principal Name is helpful with Office 365 SSO when a users email address and UPN mismatches. Forcepoint ONE SSE recommends passing email address as Name ID and passing UPN separately to avoid creation of a secondary fake email domain to allow provisioning of users.
    • SAMAccountName and NetBios are helpful with Exchange in mobile use cases where ActiveSync traffic does not carry a users email address because Forcepoint ONE SSE will deny traffic if a user account cannot be found. Make sure to set Protect > Policies > Exchange > Login Format to NetBios Domain\SAMAccountName if applicable.
      • NetBios Domain is not an LDAP attribute available for selection. However, it can be propagated in an Outgoing Claim Rule by creating a Custom Issuance Transform Rule and using the following value with the <Netbios_Domain> placeholder replaced with the appropriate value for your domain:
        • => issue(Type = "NetBios", Value = "<Netbios_Domain>");
        • for example, => issue(Type = "NetBIos", Value = "ACME-GADGET");
    • FirstName and LastName are helpful administratively when searching for users in the Forcepoint ONE SSE admin portal (for example, IAM > User and Groups, Analyze > Logs > Proxy). Click the Finish when done.
    Optional LDAP Attributes Outgoing Claim Type Example
    Given-Name Given Name Dave
    Surname Surname Demo
    User-Principal-Name UPN 8216372@acme-gadget.com
    SAM-Account-Name SAMAccountName 8216372
  8. From the ADFS 2.0 main page, select Properties for the Relying Party Trust you are configuring.


  9. On the Advanced tab, select SHA-256 from the Secure Hash Algorithm drop-down. Click OK.


  10. Export the token-signing certificate to upload into the Forcepoint ONE SSE portal during the external IdP configuration on Forcepoint ONE SSE's end. In ADFS, expand Service > Certificate. Under Token-signing section, right-click the certificate and select View.


    1. Click Copy to File to open the Certificate Export Wizard. Click Next.
    2. In the Export File Format window, select the Base 64-encoded X.509 (.CER) option and click Next.
    3. Specify a name for the file you want to export (for example, TokenSigningCert.cer) and click Next and then click Finish to export the file.
      A message is displayed stating 
      The export was successful.
    4. Click OK to dismiss the message.
  11. Click on AD FS 2.0 top level folder and then navigate to Action > Edit Federation Service Properties… menu item. Copy the Federation Service Name and paste it into the Login URLs of the SAML setup in the Forcepoint ONE SSE portal.






  12. Navigate to Service > Endpoints and find the Login URL Path of the SAML 2.0/WS-Federation type under Token Issuance. Append this path to the Login and Password Change URLs.


  13. Navigate to your other browser window where you logged into the Forcepoint ONE SSE portal.
    • If you followed the manual configuration steps, skip to step 14.
    • If you configured automatically via metadata, navigate to Protect > Objects > Common Objects and create a new External IdP. Provide a name for the IdP object and select ADFS for the IDP Type field. Enter the login password change URLs you created. You should replace acme-gadget.com with your domain in the following example.




  14. Enter https://<adfs url>/adfs/ls/?wa=wsignout1.0 as the Logout URL and upload your ADFS Token Signing Certificate that you exported in step 13 for the Assertion Signing Certificate. Note that <adfs url> is your current ADFS system URL.
  15. Enter the Active Login URL in order to authenticate Active Requests in addition to Passive requests.

    This field is optional. However, Forcepoint ONE SSE recommends you enter Active Login URL.

    This field will automatically populates the same link you have entered in IdP login URL.



    Most Active Login URLs will be: https://<your domain>/adfs/services/trust/13/usernamemixed.

    For more information on enabling the endpoint, refer to the Get-ADFSEndpoint Microsoft technet article.

  16. Click Save to finish creating your IdP object.