Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
User Identification > Identification of hybrid users > Integrating a single sign-on identity provider
Integrating a single sign-on identity provider
Web Security Help | Web Security Solutions | Version 7.8.x
Beginning with 7.8.4, single sign-on uses an identity provider to authenticate user identity, attributes, and roles with enterprise directories. All communications between components are secured.
When single sign-on is installed on your network, clients connecting to the hybrid proxy are redirected to an identity provider. The identity provider proxy must be configured if off-site users are to be authenticated. Once single sign-on has authenticated a user against your directory service, they are directed back to the proxy and the appropriate policy is applied. Clients who have authenticated once do not then have to authenticate again for subsequent Web browsing sessions.
For 7.8.4, only PingFederate is supported as a single sign-on identity provider. For information on how to deploy PingFederate, please visit their web site.
To integrate a single sign-on identity provider:
1.
On the Settings > Hybrid Configuration > User Access page, download and install the hybrid SSL certificate to ensure seamless authentication to HTTPS sites. If the certificate is not installed for single sign-on users, they receive a certificate error when they browse to an HTTPS site. If they then select the "Continue to this website (not recommended)" link, they must authenticate using NTLM identification or manual authentication, depending on the settings on the Hybrid User Identification page. See Enabling HTTPS notification pages.
2.
Mark Use PingFederate as the identity provider for single sign-on to activate single sign-on for all client machines.
3.
Once single sign-on is configured and the SSL certificate is installed on clients, copy the metadata URL from the identity provider's metadata and enter it in the Metadata URL field on the Hybrid User Identification page.
4.
Under Session Timeout, define how often users' credentials are revalidated for security reasons. The default options are 1, 7, 14, or 30 days.
 
* 
Note 
It is possible to extend the Session Timeout options to 3 months, 6 months, and 12 months. To enable this extended feature, contact Support.
5.
Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
User Identification > Identification of hybrid users > Integrating a single sign-on identity provider
Copyright 2016 Forcepoint LLC. All rights reserved.