SAML-based single sign-on: configuration overview

You must configure integration with your third-party identity provider in order to authenticate users via SAML-based single sign-on.

SAML-based authentication using a third-party IdP provides seamless single sign-on for unauthenticated users. In order to configure SAML integration, you must configure an identity provider in the management portal, upload your provider's metadata, and configure your provider to connect to Forcepoint as the SAML service provider.
Important:

Users must have been provisioned to Private Access from your enterprise directory (via SCIM) in order to be identified and authenticated by SAML-based single sign-on. Configure your identity provider for SAML and SCIM integration before enabling SAML authentication in your policy rules.

This topic provides an overview of the end-to-end configuration process for SAML-based single sign-on. You will need access to both the Private Access management portal, and the management portal of your identity provider, with administrative privileges.

Steps

  1. In the Forcepoint Private Access management portal, go to Administration > Authentication > Identity provider.
  2. Click New to configure a new SAML identity provider.
  3. Under Service provider details, copy the following information:
    • Service provider Entity ID.
    • Service provider Assertion Consumer Service (ACS) endpoints – each of these must be configured in your IdP.
  4. Sign in to your identity provider. You will require administrator privileges to configure SAML and SCIM integration.
  5. In the management interface for your identity provider, configure a SAML 2.0 connector application, using the Forcepoint service provider details copied in step 3. A Forcepoint Private Access app is available for Okta.
  6. Configure your identity provider to provision users to the service via SCIM.
  7. Download your IdP's SAML metadata in XML format. Refer to the documentation for your IdP for guidance. This metadata includes the following information for your identity provider:
    • Issuer ID
    • Single sign-on URL
    • X.509 certificate
  8. Return to the Forcepoint Private Access management portal, and go to Administration > Authentication > Identity provider.
  9. In the settings panel for your identity provider profile, under Identity provider details, click Add to upload the XML metadata from your IdP.
  10. Set the Maximum clock skew value (300ms recommended). This value determines the maximum variation between the system clock time of your IdP and Private Access for authentication requests.
    Note: If the clock skew exceeds this value, the authentication request will fail.
  11. In the Domains field, add the domains your organization uses for authentication. During authentication, the domain suffix provided by the user as part of their user name must match one of the values configured here.
    At least one domain is required, but you can add more if necessary. When you begin typing in the first Domain field, another field will appear. Click the x icon to remove domains.
    Note: For the user name username@acme.com, the domain suffix is acme.com.
  12. Click Save.

Next steps

If you are using Cloud Security Gateway, you must configure a proxy bypass destination for each of your configured ACS endpoints. Refer to the Getting Started section for further details.

Next, enable SAML authentication in your policy rules. Click Deploy Changes in the Private Access management portal, to enable SAML-based single sign-on for policies that contain rules requiring user authentication.