Provisioning new domains

You can provision as many email domains as you wish to add into the Forcepoint ONE SSE system. Every email domain that you wish to use within Forcepoint ONE SSE must be configured, along with a corresponding authentication type for users logging in with email addresses in that domain.

Steps

  1. Navigate to IAM > Users and Groups.
  2. On the Username Domain and User Authentication tile, click the green plus icon.


    Username Domain dialog opens.



  3. Enter the Username Domain.
  4. Select the applicable Authentication method the users are validated against.
    Option Description
    Local Passwords Allows you to add and manage users locally inside of Forcepoint ONE SSE.
    AD Agent Authentication Allows you to setup Active Directory sync to provision users.
    External Identity Provider Allows you to leverage SAML 2.0 user authentication against an already deployed IAM product which provides Single Sign-On (SSO). Authentication requests for users in the configured domain are sent to the Identity Provider (IdP).
  5. If you have selected Local Passwords as the Authentication, then you can select following field:
    To send a password set email to the user's company email anytime a new user is created locally, select the Send password set emails upon account creation check box.

  6. If you have selected AD Agent Authentication as the Authentication, then you can select following fields:
    To allow self-service reset password by redirecting to predefined URL, select the Allow self-service password reset check box and then enter the AD Password Change URL.

    • Agent authentication can be utilized once your User Source has been set to Active Directory. Forcepoint ONE SSE can cache a user's AD password hash so authentication is done inside of Forcepoint ONE SSE instead of querying AD every time. The cache expires every 24 hours.
    • If you are using AD agent authentication, it is required that you have redundant agents setup in order to ensure High Availability. This ensures users can login in the event of a failure, for example, the agent becomes unreachable, agent connectivity to the AD server is lost, the machine running the agent goes down/reboots, etc.
  7. If you have selected External Identity Provider as the Authentication, then you can select following fields:
    1. To enable Forcepoint ONE SSE to auto-create users upon successful SAML Auth to an external IdP, select the Auto-provision users upon Auth success check box.


      Required attributes such as Last Name, First Name, User Principal Name, SAMAccount Name and NetBIOS Domain can be optionally imported directly from the SAML response. This eliminates the need to manually create users or to synchronize account information via ActiveDirectory Sync Client.

    2. To use configured IdP, select the applicable IdP from the IDP Object drop-down list.
      To use the SAML Identity Provider, you will need to configure the SAML settings.
  8. Click Create to create the user domain with the entered details.

Next steps

If required, you can edit an existing domain by clicking on the name and make the desired changes for user source and authentication.