User authentication methods

Getting Started Guide | Forcepoint Web Security Cloud

You can enable various methods to identify and authenticate users. User authentication is used if it is required by your policy, or if the user is accessing a website for which a policy exception is configured. Authentication is always required for roaming users connecting from an unknown IP address.


	Tip User authentication allows policy enforcement actions and policy exceptions to be applied to individual users or groups, as well as user-specific reporting data to be logged.

User authentication settings are configured on the Access Control tab of a policy. Authentication methods are listed below, in the order in which they are used by the service, if enabled in a policy.

Forcepoint Web Security Endpoint: always used to identify the user, if installed on an end-user's machine.

Single sign-on: if you have configured a supported third-party identity provider to authenticate your users, this provider is queried to identify and authenticate the user.

NTLM identification: identifies users connecting from a known IP address via their NTLM credentials. (NTLM is not used for roaming users.)

Secure form: if the user agent supports secure forms, users can enter their logon credentials if already registered, or choose to register with the service.

Basic authentication: a user logon page is shown by default if the above options are not available. Users can enter their logon credentials if already registered, or choose to register with the service. Use the Welcome page setting to display a configurable welcome page before users are presented with the authentication dialog box.

Note: basic authentication uses the HTTP authentication standard. While this is available as a default fall-back, Forcepoint recommends that you do not rely on this option, and enable at least one of the other authentication options.


	Note For secure form-based authentication and single sign-on, an authentication cookie is placed on the user's machine. Users do not need to re-authenticate for subsequent web browsing sessions, for a period of time defined by the Session Timeout option on the Access Control tab. For basic authentication, users are asked to authenticate whenever opening a new browser session.