PingOne: Configuring Forcepoint ONE SSE as a SAML SP

You can configure PingOne as an external IdP inside of Forcepoint ONE SSE.

Before you begin

You will need admin access to both the Forcepoint ONE SSE portal and to PingOne to proceed.
Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.

Note: When attempting to setup a new SAML app inside of PingOne, the option will be grayed out until you complete the initial setup.

Steps

  1. Login to Forcepoint ONE SSE as an admin and navigate to Protect > Objects > Common Objects and locate the External IDP card. Click the green plus icon to add a new IdP object.


  2. Provide an Object Name (PingOne) and select PingOne from the IDP type drop-down.

    In addition, download the SAML IdP Single Logout Verification Certificate at the bottom and save it for later. Leave this page open in it's own tab or window as you will need information from here later on. To configure the rest of the settings on this page, you will need to begin your configuration inside of PingOne.



  3. Login to the PingOne admin console with an administrator account.
  4. From the left pane, expand Application and click on the Applications tab:
    1. On the Applications page, click + next to Applications.
    2. On the Add Application section, enter Application name, description, icon for application, and set the Application Type to SAML Application.


    3. Click Configure.
  5. On the SAML Configuration tab, set Provide Application Metadata to Manually Enter option, add ACS URLs and Entity ID:
    • ACS URLs: https://portal.bitglass.com/sso/acs/
    • Copy the Entity ID from your Forcepoint ONE SSE IdP setup page and paste it here.




  6. To create the application, click Save.
  7. On the Attribute Mappings tab:
    1. On the upper-right corner of the page, click the edit icon.
    2. Under pre-existing saml_subject attribute, select Email Address.


    3. Click Save.
  8. On the Configuration tab:
    1. On the upper-right corner of the page, click the edit icon.
    2. From the Subject NameID Format drop-down, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    3. Click Save.
    4. Click Download Metadata to download the metadata file.
    5. Click Download Signing Certificate and select X509 PEM (.crt) option to download the certificate in PEM or DER format.
  9. Back on Forcepoint ONE SSE browser tab that is still open, upload the following:
    1. Upload the metadata file you just downloaded to the SAML IdP Metadata XML field. It should populate both the Login and Logout URLs.
    2. Upload the Token Signing Certificate that you just downloaded.




    Note: Refer to the PingOne guide page as there are different logout behaviors depending on the SLO URL you choose to use.
  10. Use the object to apply to your entire domain on the Users and Groups page or per individual application/app instance.
    Note: Changes to the SAML application settings on PingOne will take effect only after the updated metadata file is uploaded to Forcepoint ONE SSE after saving the configuration changes on the PingOne console.