Sending SAML attributes from IdP to Forcepoint ONE SSE

You can configure your IdP to send Forcepoint ONE SSE the following attributes with the SAML assertion so that Forcepoint ONE SSE receives the necessary user information.

Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.

You may need to map them to different local attributes depending on your user data source.

Attribute Name Attribute Type/Format Example
Name ID/Subject urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress ddemo@acme-corp.com
objectGUID - Required for Office 365 urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 50e38134-ae4e-4766-ba7d-6829b803bfcc
FirstName - Optional http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Dave
LastName - Optional http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Demo
User Principal Name - Optional http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn 8216372@acme-gadget.com
SAMAccountName - Optional urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 8216372
NetBios - Optional urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified ACME-GADGET
BGCustom1 - Optional urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified FE9ADE3FFA97C8DF225BBBC05D3521A
BGCustom2 - Optional urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified 4987F497-E59C-42E3-8733-5EE349D67BB0

Optional fields can be used to populate additional user account attributes and are desirable in the following scenarios:

  • User Principal Name: Helpful with Microsoft 365 SSO when a users email address and UPN mismatches. Forcepoint ONE SSE recommends passing email address as Name ID and passing UPN separately to avoid creation of a secondary fake email domain to allow provisioning of users.
  • SAMAccountName & NetBios: Helpful with Exchange in mobile use cases where ActiveSync traffic does not carry a users email address because Forcepoint ONE SSE will deny traffic if a user account cannot be found. Make sure to set Protect > Policies > Exchange > Login Format to NetBios Domain\SAMAccountName if applicable.
  • FirstName & LastName: Are helpful administratively when searching for users in the Forcepoint ONE SSE admin portal (for example, IAM > Users and Groups > Users, Analyze > Logs > Proxy).
  • BGCustom1 & BGCustom2: Can be sent in SAML responses as alternate NameID options for apps which do not use email addresses to map IdP accounts to cloud app accounts.

    Example: Salesforce when authenticating users to a users Federation ID account attribute

    BGCustom1 corresponds to Custom Attribute 1, while BGCustom2 corresponds to Custom Attribute 2 in the Users and Groups > User Details fields.