Configuration steps

Before you begin

Before you begin, ensure that you have the following pre-requisites:

  • Administrator logon details for the Forcepoint Cloud Security Gateway Portal (also referred to as the cloud portal) with the single sign-on feature enabled in your account. Contact Technical Support if you do not have this feature.
  • Access to a supported identity provider (either within your network, or a cloud service).

Follow the steps below to deploy single sign-on for your cloud account.

Steps

  1. Log on to the cloud portal and navigate to Web > Settings > Single Sign-on . Click the download links to save the following files:
    1. Forcepoint LLC Metadata: this XML file must be uploaded to your identity provider. (See the instructions in step 3.)
    2. Forcepoint LLC Root Certificate: this certificate must be installed on all clients that will use SSO authentication.
  2. Log on to your identity provider and perform the following steps:
    1. Configure your identity provider with service details and metadata for the Forcepoint cloud service. Refer to the following articles in the Forcepoint Knowledge Base for detailed instructions on configuring the following packages to work with Forcepoint Web Security Cloud SSO:
    2. Obtain the identity provider’s metadata. This will either be in the form of a URL, or a file you can download. (See the Knowledge Base articles listed above for further details.)
  3. Returning to the cloud portal, navigate to Web > Settings > Single Sign-on and perform the following steps:
    1. For customers new to single sign-on, the Identity provider entry displays SAML 2.0 Compliant Identity Provider and cannot be changed.

      For customers who had configured single sign-on prior to the introduction of the of SAML 2.0 Compliant Identity Provider option, the previously selected identity provider is displayed and a drop-down list offers the original provider and SAML 2.0 Compliant Identity Provider.

      It is recommended that all customers select SAML 2.0 Compliant Identity Provider.

    2. For Metadata source, select either URL or File upload. Provide the metadata obtained from your identity provider in step 2b. See Forcepoint Web Security Cloud Help - Configure Single Sign-On settings for further details.
    3. If applicable, add the identity provider’s hostnames as non-proxied domains using the on the Web > Bypass Settings > Proxy Bypass page. (Cloud-based IdPs perform additional redirects to URLs not present in the metadata. Check the Knowledge Base articles above for details of any required domains.)
  4. Install the Forcepoint root certificate that you downloaded from the cloud portal on all client machines that will use SSO, using your preferred distribution method (such as Windows Group Policy Objects).
  5. Enable SSO authentication in your policies, on the Access Control tab. See Forcepoint Web Security Cloud Help - Access Control tab.