Microsoft Entra ID: Configuring Forcepoint ONE SSE as a SAML SP

You can set up Microsoft Entra ID as an IdP within Forcepoint ONE SSE. This setup will work to configure SAML SSO proxy authentication with any apps outside of Microsoft apps.

1. Log into your Azure admin portal and navigate to Microsoft Entra ID > Enterprise Applications.
2. On the Enterprise Applications page, select All applications and then click New application.
   
3. On the Browse Microsoft Entra Gallery page, click Create your own application.
4. On the Create your own application dialog that appears on the right:
   1. Enter a recognizable application name.
   2. Ensure Integrate any other application you don't find in the gallery (Non-gallery) is selected.
   3. Click Create.
   

   Wait for the application to get created.

5. On the newly created app page, select Assign users and groups and assign the users/groups that will be accessing apps and authenticating through Forcepoint ONE SSE.
   

   Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.
6. Once you have assigned your users/groups, select Set up single sign on and then click SAML.
   
   
   
   
   
7. On the Set up Single Sign-On with SAML page:
   Section 3: If you have not created a SAML Signing Certificate already, you will need to create one. If you have already created one skip to step 8. Otherwise, click Add a certificate and then in the new tab window that appears, click New Certificate. Then set the fields as below and Save.

   • Signing Option: Sign SAML assertion
   • Signing Algorithm: SHA-256
     
     
     
     
     

   Leave this page open.

8. Open a new browser window/tab and login to your Forcepoint ONE SSE admin portal.
9. Navigate to Protect > Objects > Common Objects and then click the green icon to add a new External IdP.
   
10. On the new IdP object page, provide a name and then select Other IdP from the IDP Type drop-down. Copy information from the Forcepoint ONE SSE IdP object setup to the Set up Single Sign-On with SAML page in Azure setup (step 7).
    1. Copy the Forcepoint ONE SSE Saml Entity ID to the Identifier (Entity ID) field in Azure.
       
    2. Enter https://portal.bitglass.com/sso/acs/ to the Reply URL (Assertion Consumer Service URL) field in Azure.
       
       
       
       
       
    3. Enter bg_azure_ad_rp_login in the Relay State field.
       Important: You should enter value in the Relay State field only when you are configuring Microsoft Entra reverse proxy application.
11. Copy over information from the Azure page in step 7 to Forcepoint ONE SSE.
    1. Download the certificate created in Step 7 above as Base64 and then upload it to the Token Signing Certificate field in Forcepoint ONE SSE.
    2. Copy over the Login URL from Azure to the Login URL field in Forcepoint ONE SSE.
    3. Copy over the Logout URL in Azure to the Logout URL field in Forcepoint ONE SSE.
       
       
       
       
       
12. Click Save on both pages of setup.
    Now you are set to use Microsoft Entra ID as the IdP for other applications protected by Forcepoint ONE SSE.
13. On the Forcepoint ONE SSE portal:
    1. Navigate to IAM > Users and Groups page.
    2. On the Username Domain and User Authentication section, click the username domain that is in question.
    3. On the Username Domain dialog, select the External Identity Provider option as the Authentication method and then select IDP that you just created in step 10 from the IDP Object drop-down.
       
       
       
    4. Click Save.
       Now the users are enforced to get authenticated by the selected Microsoft Entra ID IdP.