Sending SAML attributes from IdP to Forcepoint Data Security Cloud | SSE
You can configure your IdP to send Forcepoint Data Security Cloud | SSE the following attributes with the SAML assertion so that Forcepoint Data Security Cloud | SSE receives the necessary user information.
Note: Forcepoint Data Security Cloud | SSE UI supports UTF-8 characters. However, the SAML
assertion only supports low-ASCII characters as attribute values. If an attribute value contains characters that are not low-ASCII, then SAML sign-in failures occur.
You may need to map them to different local attributes depending on your user data source.
| Attribute Name | Attribute Type/Format | Example |
|---|---|---|
| Name ID/Subject | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | ddemo@acme-corp.com |
| objectGUID - Required for Office 365 | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | 50e38134-ae4e-4766-ba7d-6829b803bfcc |
| FirstName - Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Dave |
| LastName - Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Demo |
| User Principal Name - Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn | 8216372@acme-gadget.com |
| SAMAccountName - Optional | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | 8216372 |
| NetBios - Optional | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | ACME-GADGET |
| BGCustom1 - Optional | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | FE9ADE3FFA97C8DF225BBBC05D3521A |
| BGCustom2 - Optional | urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified | 4987F497-E59C-42E3-8733-5EE349D67BB0 |
Optional fields can be used to populate additional user account attributes and are desirable in the following scenarios:
- User Principal Name: Helpful with Microsoft 365 SSO when a users email address and UPN mismatches. Forcepoint Data Security Cloud | SSE recommends passing email address as Name ID and passing UPN separately to avoid creation of a secondary fake email domain to allow provisioning of users.
- SAMAccountName & NetBios: Helpful with Exchange in mobile use cases where ActiveSync traffic does not carry a users email address because Forcepoint Data Security Cloud | SSE will deny traffic if a user account cannot be found. Make sure to set to NetBios Domain\SAMAccountName if applicable.
- FirstName & LastName: Are helpful administratively when searching for users in the Forcepoint Data Security Cloud | SSE admin portal (for example, , ).
- BGCustom1 & BGCustom2: Can be sent in SAML responses as alternate NameID options for apps which do not use email addresses to map IdP accounts to cloud app
accounts.
Example: Salesforce when authenticating users to a users Federation ID account attribute
BGCustom1 corresponds to Custom Attribute 1, while BGCustom2 corresponds to Custom Attribute 2 in the fields.