Authentication

AD Agent authentication will fail for any users who do not have the maxPwdAge attribute defined. AD administrators can create or edit an existing GPO policy to apply the maxPwdAge object to all user profiles. The password expiration age can be set to any value, including no expiration.

Native Application IdP Integration

Broadly speaking, any SAML 2.0 IdP, and any app can be integrated with Forcepoint ONE SSE to enforce controls. However, there are exceptions for native IdP that are hard-coded to native applications. Specifically, Microsoft Entra ID is hard-coded into Microsoft applications such as Office 365, and cannot be used to enforce access controls for Office 365 via the CASB. However, Microsoft Entra ID can be integrated with the CASB to enforce access controls for non-Microsoft apps. The same is true for Google Directory and G Suite.

  • When an organization uses the native IdP from Microsoft or Google, the native IdP may be integrated with Forcepoint ONE SSE to secure all apps except the native apps, e.g, Office 365 with Microsoft Entra ID and G Suite with Google Directory. In this case, the native apps can only be configured with their native controls. This arrangement does not deliver a uniform security posture for all apps. To enforce uniform security posture for all apps including the native apps, an independent IdP is required to enforce CASB controls. There are two choices as below:

    1. Use Forcepoint ONE SSE as the IdP for applications. This can be achieved via the Forcepoint ONE SSE DirSync agent, where Forcepoint ONE SSE verifies user credentials dynamically against the organization’s directory to authenticate users.
    2. Deploy an independent IdP, e.g. Okta, Ping, ADFS etc, and integrate with the CASB.
    Note: Forcepoint ONE SSE does offer SCIM integration with Microsoft Entra ID to help admins provision users into Forcepoint ONE SSE.