DUO: Configuring Forcepoint ONE SSE as a SAML SP

You can configure Forcepoint ONE SSE as a SAML SP for DUO. DUO typically provides both, two factor authentication and Identity Provider (IdP) services. Forcepoint ONE SSE can point to any IdP for user authentication and account creation.

Before you begin

Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.

Follow the below steps to configure DUO as an IdP for Forcepoint ONE SSE. If you are looking for how to setup DUO for MFA, refer to the MFA DUO Security (Push) Setup.

Steps

  1. Login to the Duo admin console. Go to the Applications tab and create a new application as type SAML - Service Provider, give it a name. (ex. SAML - Forcepoint ONE)
  2. For the application configuration, fill out all of the fields and save the configuration. You can find the information needed in Any SAML IdP: Configuring Forcepoint ONE SSE as a SAML SP.




  3. After saving, go back to the application and click on Download your configuration file to access the JSON code. Modify the "saml20.sign.response": false, line by setting the value to true and saving the file.




    Keep the Duo admin portal open as you perform the next steps.

  4. On an another browser window, login to the Forcepoint ONE SSE admin portal as an administrator and navigate to the Protect > Objects > Common Objects page. Locate the External IdP card and click the green plus icon to add a new IdP.


  5. On the SAML Authentication page, provide an Object Name to recognize the IdP and then select DUO as the IdP Type.
    • On the Duo admin portal and look under the Metadata section at the bottom of the DAG console’s Applications page. You will find the SAML IdP Login URL and SAML IdP logout URL as well as the Token Signing Certificate on this page.
      • For the Login URL example, the URL is: https://duosso.bgdomain.com/dag/saml2/idp/SSOService.php
      • For the Logout URL example, the URL is: https://duosso.bgdomain.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://duosso.bgdomain.com/dag/module.php/duosecurity/logout.php


      • For the Authproxy Host and Port, enter the host information and the proxy port you are using. By default DUO uses TCP/443.

Result

The Duo SSO portion has been configured successfully. Verify that SSO is working by logging into the Forcepoint ONE SSE portal with a user within your domain.

When you enter your email, you should be redirected to Duo to login. Once successfully logged in, you should be redirected back to the Forcepoint ONE SSE User Portal.