Sending SAML attributes from IdP to Forcepoint ONE SSE
You can configure your IdP to send Forcepoint ONE SSE the following attributes with the SAML assertion so that Forcepoint ONE SSE receives the necessary user information.
Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML
assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.
You may need to map them to different local attributes depending on your user data source.
Attribute Name | Attribute Type/Format | Example |
---|---|---|
Name ID/Subject | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | ddemo@acme-corp.com |
objectGUID - Required for Office 365 | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | 50e38134-ae4e-4766-ba7d-6829b803bfcc |
FirstName - Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Dave |
LastName - Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Demo |
User Principal Name - Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn | 8216372@acme-gadget.com |
SAMAccountName - Optional | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | 8216372 |
NetBios - Optional | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | ACME-GADGET |
BGCustom1 - Optional | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | FE9ADE3FFA97C8DF225BBBC05D3521A |
BGCustom2 - Optional | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | 4987F497-E59C-42E3-8733-5EE349D67BB0 |
Optional fields can be used to populate additional user account attributes and are desirable in the following scenarios:
- User Principal Name: Helpful with Microsoft 365 SSO when a users email address and UPN mismatches. Forcepoint ONE SSE recommends passing email address as Name ID and passing UPN separately to avoid creation of a secondary fake email domain to allow provisioning of users.
- SAMAccountName & NetBios: Helpful with Exchange in mobile use cases where ActiveSync traffic does not carry a users email address because Forcepoint ONE SSE will deny traffic if a user account cannot be found. Make sure to set to NetBios Domain\SAMAccountName if applicable.
- FirstName & LastName: Are helpful administratively when searching for users in the Forcepoint ONE SSE admin portal (for example, , ).
- BGCustom1 & BGCustom2: Can be sent in SAML responses as alternate NameID options for apps which do not use email addresses to map IdP accounts to cloud app
accounts.
Example: Salesforce when authenticating users to a users Federation ID account attribute
BGCustom1 corresponds to Custom Attribute 1, while BGCustom2 corresponds to Custom Attribute 2 in the
fields.