Identity provider

SAML (Security Assertion Markup Language) is a standard for exchanging authentication information between an identity provider (IdP) and a service provider (Forcepoint). SAML-based single sign-on allows seamless user identification and authentication for end users, using your preferred IdP. When a SAML 2.0-compliant IdP has been configured, policy rules or exceptions that require user identity trigger an authentication request for clients whose identity is not already known to the service. The client request is redirected to the configured IdP for authentication.

Use the Identity provider page to configure integration with your SAML 2.0-compliant identity provider.

The Administration > Authentication > Identity provider page shows the following information.

Service provider details

Forcepoint acts as a service provider for SAML-based authentication requests. The information shown here is required to configure your IdP to integrate with Private Access for single sign-on.
  • Service provider Entity ID: (Service Provider Issuer URL) a globally unique identifier for the Forcepoint SAML service. Use this value when configuring your IdP to connect to Forcepoint as a service provider.
  • Service provider Assertion Consumer Service (ACS) URL: a list of your supported endpoints for authentication responses received from your IdP. Each Private Access gateway is assigned a unique ACS. Typically a tenant will be provisioned with up to 10 ACS URLs. This allows a tenant to have up to 10 Private Access Gateways (5 for High Availability), but more can be added if additional gateways are required. Each URL will be identical except for a sequence number that corresponds to a specific Private Access Gateway. Each ACS in use must be configured in your IdP to ensure the user is returned to the correct Private Access Gateway after a successful authentication.

Identity provider details

Your identity provider details can be uploaded to the management portal as an XML metadata file, or pasted into the metadata field.

This information is populated when you have added and saved metadata for your IdP.

  • Identity provider metadata: either paste the metadata XML from your IdP into the field, or click Upload to upload your IdP's metadata XML file.
    Note: To change IdP metadata, paste new contents into the metadata field, or click Change IdP Metadata to upload a new file. Click Save to commit your changes.
  • Identity provider Issuer ID: a unique identifier sent by the IdP to identify itself to Forcepoint. Sent as the Issuer token in SAML responses.
  • Identity provider Single Sign-On URL: the URL used by the IdP to handle SAML authentication requests.
  • Identity provider certificate: validity information and thumbprint for the X.509 certificate from your IdP. A valid certificate is required for Private Access to decrypt the SAML authentication response sent by the IdP.
  • Maximum clock skew (milliseconds): the allowed variation in system time between the IdP and Private Access for an authentication request. The recommended value is 300ms. If the clock skew is greater than this value, authentication fails.
  • Domains: one or more fully qualified domain name (FQDN). Wildcards are not supported.