Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
User Identification for Policy Enforcement > Identification and authentication of hybrid users > Integrating the hybrid service with a single sign-on identity provider
Integrating the hybrid service with a single sign-on identity provider
Administrator Help | TRITON AP-WEB | Version 8.3.x
Single sign-on uses an identity provider to authenticate user identity, attributes, and roles with enterprise directories. All communications between components are secured.
When single sign-on is enabled and installed on your network, clients connecting to the hybrid proxy are redirected to an identity provider. The identity provider must be configured if off-site users are to be authenticated. Once single sign-on has authenticated a user against your directory service, they are directed back to the hybrid proxy and the appropriate policy is applied. Clients who have authenticated once do not then have to authenticate again for subsequent browsing sessions.
Currently, only PingFederate and Microsoft Active Directory Federation Services (AD FS) are supported as single sign-on identity providers. For information on how to deploy PingFederate, please visit their website. Visit this website for information on AD FS.
To integrate a single sign-on identity provider:
1.
On the Settings > Hybrid Configuration > Hybrid User Identification page, download and install the hybrid SSL certificate to ensure seamless authentication to HTTPS sites.
If the certificate is not installed for single sign-on users, they receive a certificate error when they browse to an HTTPS site. If they then select the "Continue to this website (not recommended)" link, they must authenticate using NTLM identification or manual authentication, depending on the settings on the Hybrid User Identification page. See Enabling hybrid HTTPS notification pages.
2.
Mark Use identity provider for single sign-on to activate single sign-on for all client machines.
 
* 
Note 
Your Hybrid account must have single sign-on enabled for this option to display.
3.
Select the Identity Provider you wish to use.
4.
Once single sign-on is configured and the SSL certificate is installed on clients, copy the metadata URL from the identity provider's metadata and enter it in the Metadata URL field.
5.
Under Session Timeout, define how often users' credentials are revalidated for security reasons. The default options are 1, 7, 14, or 30 days.
 
* 
Note 
It is possible to extend the Session Timeout options to 3 months, 6 months, and 12 months. To enable this extended feature, contact Technical Support.
6.
Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
User Identification for Policy Enforcement > Identification and authentication of hybrid users > Integrating the hybrid service with a single sign-on identity provider
Copyright 2016 Forcepoint LLC. All rights reserved.