Create a Microsoft Azure Active Directory application for SCIM and SAML

To use SCIM provisioning and SAML authentication with Microsoft Azure Active Directory, you must create a connector application within your Microsoft Azure instance.

In order to use SAML-based single sign-on for end users, you must provision users and groups from your identity provider to the Private Access service via SCIM, and configure your identity provider for SAML integration.

Steps

  1. In the Private Access management portal, go to Administration > Authentication > Identity provider.
  2. Click New.
  3. Provide a name for the identity provider (for example, "Microsoft Azure").
  4. Note the Service Provider Entity ID and the list of Service Provider Assertion URLs. Each of these must be configured in your Microsoft Azure AD to ensure SAML authentication is working properly for each of your configured Private Access Gateways.
  5. Sign in to your Microsoft Azure account with administrator privileges, and click Azure Active Directory.
  6. In the side toolbar, click Enterprise applications.
  7. At the top of the screen, click New application, then click Create your own application.
  8. Enter a name for the application (for example, "Forcepoint Private Access"), select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
  9. In the side toolbar, click Single sign-on, then select SAML as the single sign-on method.
  10. In the Basic SAML configuration section, click Edit.
  11. In the Identifier (Entity ID) field, paste the Service Provider entity ID value you copied in step 4.
    Important:
    • You must prefix the entity ID value with "eid:".
  12. In the Reply URL (Assertion Consumer Service URL) field, paste the first Service Provider Assertion URL(Assertion Consumer Service URL) value from the list you copied in step 4.
    Keep "/acs" at the end of the URL.
    Repeat until you have added all available ACS endpoints to the configuration. Click Save.
    Tip: Each URL is identical except for the sequence number. Copy the first URL and change the sequence number as appropriate.
  13. Close the panel. You will be prompted to test the configuration. Click Yes to test.
  14. Scroll down to step 3: SAML Signing Certificate, and download the Federation Metadata XML file.
  15. Return to the Private Access management portal. Go to Administration > Authentication > Identity provider and select the identity provider profile you created in step 2.
  16. Under Identity provider metadata, click Upload, and select the XML file you saved in step 14. Upload the file.
  17. In the Domains field, add the domains your organization uses for authentication.
  18. Click Save and Deploy Changes.
  19. In the Private Access management portal, go to Administration > SCIM Settings. Copy and make a note of the Base URL for the Forcepoint SCIM service.
  20. Click Generate New Token. Copy and make a note of the token.
  21. In the Microsoft Azure portal, click Provisioning in the sidebar menu.
  22. Click Get started and set the Provisioning Mode to Automatic.
  23. In the Tenant URL field, paste the Base URL you copied in step 18.
  24. In the Secret Token field, paste the token you copied in step 19.
    Click Test Connection to verify the details, then click Save.
  25. Click the X to close the Provisioning panel, then select Users and groups from the side toolbar.
  26. Click Add user/group.
  27. Search for and select the users/groups you want to be provisioned to Private Access. Click Assign.

Result

Your assigned users and groups will be provisioned to the service, and you can use SAML authentication in your policy rules to authenticate users.