Cyberark Idaptive: Configuring Forcepoint ONE SSE as a SAML SP

You can add Cyberark Idaptive as an external IdP via SAML SSO integration with Forcepoint ONE SSE. Forcepoint ONE SSE offers both IdP-initiated SAML SSO (for SSO access through the user portal or Idaptive mobile applications) and SP-initiated SAML SSO (for SSO access directly through the Forcepoint ONE SSE web application).

You can configure Forcepoint ONE SSE for either or both types of SSO. Enabling both methods ensures that users can log into Forcepoint ONE SSE in different situations such as clicking through a notification email. Refer to the Cyberark's documentation for more information.

Before you begin

Before starting, you will need the SAML Entity ID from Forcepoint ONE SSE. To get this, start by logging into the Forcepoint ONE SSE admin console with an admin account with the proper permissions to create IdP objects.
Note: Forcepoint ONE SSE UI supports UTF-8 characters. However, the SAML assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.

Steps

  1. In the Forcepoint ONE SSE admin portal, navigate to Protect > Objects > Common Objects. Click the green plus icon to add a new IdP object. Make note of the SAML Entity ID as you will need this for step 7. It's recommended you keep this window open for the Forcepoint ONE SSE Setup section below.




  2. Open a new browser window or tab and login to Cyberark with an admin account with correct permissions to add an application.
  3. Navigate to the Apps > Web Apps > Add Web Apps.
  4. On the Add Web Apps page, use the search function to find Bitglass SAML app and click on Add.

    You should now see the Bitglass app under the Apps > Web Apps page.

  5. Click the Bitglass app to start configuration.
  6. On the Trust tab, under Identity Provider Configuration:
    1. Click Signing Certificate and download the certificate.
    2. Click Download Metadata File to download the file which you will be using later to configure Idaptive as an IdP on the Forcepoint ONE SSE Admin Portal.
  7. Scroll down to the Service Provider Configuration section, enter the following information and then Save.
    1. Enter the Forcepoint ONE SSE SAML Entity ID you got in step 1 at the top.
    2. Enter the ACS Proxy as https://portal.bitglass.com/sso/acs/
    3. In the Recipient, enter the same URL as the ACS Proxy.
    4. Set Sign Response to Assertion.
    5. Set NameID to emailAddress.
    6. Set Single Logout URL to https://portal.bitglass.com/accounts/logout/
    7. Set Relay State to bg_portal_login. For SP initiated auth, Forcepoint ONE SSE will set the relay_state parameter in the SAML request to bg_saml_login.
  8. After saving, navigate to the to the Permissions section in the left hand side sub-menu. The status of the Bitglass App will be Ready to Deploy. To deploy Bitglass app, click the Add button, select the Admin user and then under permissions, ensure Grant, View, Run and Automatically Deploy permissions are selected and save. This should now change the status of the application to be Deployed.
  9. You can add users who will be required to authenticate against Forcepoint ONE SSE.
    1. The permissions required for all the regular users to be able to use this setup is View and Run.
    2. Click Add and you have the option to add individual users selectively or add the groups by selecting the group names. This is done per your use case.
    3. Save the settings upon adding the users and granting permissions.
    With the configuration setup in Idaptive, you can now finish the deployment in Forcepoint ONE SSE.
  10. Navigate back to the window that you opened up in Step 1. You will need to fill out the rest of the configuration fields, and save when done:
    1. Object Name: Enter a recognizable name for the IdP object.
    2. IdP Type: Select Other IdP
    3. SAML IdP Metadata XML: Upload the SAML metadata file you downloaded in step 6.b
    4. SAML IdP URLs: For the 3 URLs just verify they are filled out correct from the metadata file that you uploaded.
    5. SAML IdP Single Logout Request Method: Set this to Get
    6. Token Signing Certificate: Upload the cert you downloaded in step 6.a
    7. Use Assertion Consumption Service proxy for app login: This is not required but can be used when customers want to configure an app's SSO settings to point directly to an existing Identity Provider (IdP). The IdP must support alteration of the ACS login URL so the SAML response can be sent to Bitglass' ACS Proxy endpoint.
    8. ForceAuthN: Also not required right now. This setting will force your external IDP to re-authenticate the user.
  11. With the IdP object created, you can now set the IdP to be the default authentication mechanism for our domain. Navigate to IAM > Users and Groups and select your domain from what you have configured in the top domain card.

    In the pop-up window, select External Identity Provider and use the drop-down list to select the Idaptive IdP Object and save.

  12. You can test the authentication flow. To do this, open an incognito window and navigate to the Forcepoint ONE SSE portal login. Enter your email address and hit tab. This should now redirect to Idaptive to enter your email/password and any MFA/2FA if set.