Installation and Configuration Guide
Websense Authentication Service

Library Search:


Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Introduction > What is Authentication Service?

What is Authentication Service?
Authentication Service facilitates username/password validation using your on-premises Active Directory/LDAP server. Authentication Service is installed as a virtual appliance and communicates with your local directory using LDAP over SSL. It can operate in the DMZ or inside the local area network (LAN), or both, based on the mode(s) of operation:
*
Desktop single sign-on (SSO). This option applies to end users using cloud or hybrid filtering to access the Internet from within your network. In this case, the user's desktop credentials are validated by Authentication Service using Kerberos tickets distributed by your Key Distribution Center (KDC) machine. Authentication Service is installed inside the LAN and acts as a federation server within your network, creating an in-network federation authority that communicates with the Websense proxy using SAML 2.0 assertions.
The user authenticates with the Active Directory/LDAP server within the network (leveraging existing network security). When a user from within the corporate network accesses an external URL, they are redirected to Authentication Service, which authenticates the user with the LDAP directory and generates a SAML assertion to the Websense proxy. The user credentials never leave the corporate network.
Note that using this configuration, all user authentications happen in-network; the Websense proxy does not enforce multiple authentication factors, but simply accepts the SAML assertion from Authentication Service. Users can also use this mode from outside the network via a VPN connection.
*
Username/Password verification. This option applies to off-site users. In this case, the users can access the Websense proxy from outside their LAN and Authentication Service needs to run in your DMZ. The user's Active Directory/LDAP credentials are collected by the Websense proxy and passed to Authentication Service to be validated against your Active Directory/LDAP server. Once authenticated, the user has full access to Web sites according to their policy settings.
*
Hybrid (both). Here both internal desktop SSO and external username/password validation are required. Users can connect to Authentication Service internally or from outside the LAN.

Quick Links



Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Introduction > What is Authentication Service?
(c) 2011 Websense, Inc. All Rights Reserved.