Configuring SAML attribute match

Admins can configure SAML attributes to be passed from the external IdP to Forcepoint ONE SSE to determine if a device is managed or unmanaged.

Steps

  1. Configure the external IdP to pass the SAML attribute’s name and value, for example, attribute name, Custom-managed, and its value, Trust, to Forcepoint ONE SSE.

    The attribute name and values passed are compared against expected values setup in Forcepoint ONE SSE Device Profile Objects.

    For example, if your external IdP is configured to check for client certs in order to determine if the device is managed or not, an Attribute of Managed with a Value of Yes or No.

  2. Navigate to Protect > Objects > Common Objects.
  3. On the Device Profiles tile, click the green plus icon.
  4. On the Device Profiles dialog, select SAML Attribute as the Type and then click the green plus icon to create a new row for attribute and value field.
  5. Entering multiple attribute table items will be treated as AND conditions against one another (All SAML attributes must be present for Forcepoint ONE SSE to consider the device profile object to be a match).
  6. These fields are highly customizable, and any attribute can be entered based on your own criteria (for example, Active Directory user attributes). See the following examples:
    • AD account attributes:
      • Attribute=ExecStaff, Value=Yes
      • Attribute=Contractor, Value=Yes
    • Application access control
      • Attribute=M365_Access, Value=Yes

Next steps

Once you have configured the Device Profile for SAML Attribute matching, you can move on to creating policies.