Access Control tab

Setting authentication options for specific users

Use the Access Control tab to configure how your end users are identified by the cloud service. You can configure multiple authentication or identification options for your users if required.

The cloud service works "out of the box" for many organizations. A single policy applied to an organization's web traffic provides protection from malware and inappropriate content. However, most customers want to tailor the service to align it with their Internet acceptable use policy, which may require granular configuration on a per-user and per-group basis, with different users or groups assigned to specific policies. Often, organizations want to report on the surfing habits of their employees. These use cases require the service to identify specific users in order to apply the correct policy, and to log user actions for reporting purposes.

There are a number of events that can lead to an end user being asked to authenticate:

The user is connecting from an IP address configured as a proxied connection in one of your policies, and the policy has the Always authenticate users option enabled on the Access Control tab.

The user is accessing a website within a category that has an action of Require user authentication. You configure this within the category itself.

The user is attempting to access a website for which there is a group or user exception. At this point, the cloud service needs to find out who the user is in order to determine whether the exception applies.

The end user connects from an unknown IP address, so is considered a remote user.

When a request is made from an unknown IP address, users are served a notification page asking them to authenticate. Because the cloud service does not know who the users are at this time, the notification page is a generic service-wide page. See Roaming home page for further information.


	Note If user authentication is required by a connection-based policy, the service checks whether the user is assigned to a specific policy, and applies the user's policy. The user's "home" policy overrides the IP-based policy for enforcement actions.

To configure user authentication:

Under Authentication Settings, define when to authenticate.

Select Always authenticate users on first access to force all users of this policy (whose source IP address or appliance is configured on the Connections tab) to identify or authenticate themselves to proceed. If they do not, they are unable to use the cloud service.

Select Only authenticate when if you want to use authentication only if either of the following is true:

Users are accessing the web from an unknown IP address.

In this case, if web endpoint software or single sign-on is not available, the user receives the service-wide Welcome page. Users must log on to allow the correct policy to be applied.

The requested site is in a category or has a user or group exception that requires authentication.

Select the authentication methods you wish to use.

If you do not select any authentication methods, when users try to access a website, they are presented with a basic authentication dialog into which they must enter their cloud logon credentials to proceed.

The cloud service provides the following options for identifying end users transparently:

Select Endpoint to use web endpoint software, which is installed on client machines to provide transparent authentication, enforce use of web policies, and pass authentication details to the cloud-based service. See Configure Endpoint settings.

Select Single sign-on to use clientless transparent authentication via a supported identity provider. See Configure End User Single Sign-On settings.

If you do not deploy web endpoint software or use single sign-on, the cloud service can use one of the following methods to identify users transparently or manually when they connect to the Internet.

Select NTLM transparent identification to identify users in this policy with their NTLM credentials. Then, select the NTLM registration page or use the default setting. See NTLM identification and NTLM registration page.

NTLM transparent identification is also used as a fallback if either the web endpoint or single sign-on fails.


	Note NTLM transparent identification is not valid for remote users (connecting from unknown IP addresses). Such users must always authenticate with the web endpoint, single sign-on, or a valid email address and password.

Select Secure form-based authentication to display a logon form to the end user. When the user enters their cloud credentials, they are sent over a secure connection for authentication.

If the users have not previously registered to use the service, they can do so by clicking Register. This takes them into the registration process. See End Users tab for further details.

Note that manual authentication is always used if none of the above methods is available.

Select Welcome page to show a configurable welcome page to end users prior to the basic authentication dialog box, if their browser supports it. See Pre-logon welcome page.

If you have selected single sign-on or secure form authentication, set a Session timeout period to specify the time interval after which a user's login and password are revalidated. See Session timeout.

Click Save.