Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
End User Single Sign-On for Forcepoint Web Security Cloud : Limitations and recommendations
Limitations and recommendations
The following table lists limitations and recommendations for using single sign-on.
 
Category
Limitation/recommendation
Supported clients
Single sign-on is supported only for web browsers. Other types of client cannot authenticate in this way.
In order for other clients to work with the proxy service, you must enable authentication decryption bypass by user agent or destination. This is set on the Web > Bypass Settings > Authentication Bypass page.
Note that authentication decryption bypass is not supported for roaming users.
Forcepoint root certificate
When single sign-on is enabled, the cloud service performs authentication decryption for HTTPS sites by default in order to identify users. Customers must download the Forcepoint root certificate and install it on all client machines that will use this method of authentication. This ensures that end users browsing to HTTPS sites can be authenticated seamlessly.
If the certificate is not installed, users will see a browser error stating that the site certificate is not valid.
Note that this applies to SSO over tunneling only if decryption is explicitly enabled in the policy.
SSLdecryption bypass: local users
If you have added categories to the SSL Decryption Bypass list via Web > Policies > [policy name] > Web Categories > SSL Decryption Bypass, users browsing HTTPS sites in these categories cannot be authenticated via your IdP. Users will see the manual authentication welcome page.
Note that this does not apply to SSO over tunneling.
Authentication decryption: roaming users
For roaming users, the following authentication decryption settings are not supported:
*
Authentication decryption bypass
*
Authentication bypass by user agent or hostname
*
SSL decryption bypass
See Supported decryption and proxy bypass settings.
Auto-provisioning
Auto-provisioning is not supported for roaming users identifying via the account identification page.
Authentication fallback for dedicated ports
Authentication fallback is not supported when using dedicated ports. See Authentication fallback.
Note that this does not apply to SSO over tunneling.
SSO over tunneling
For on premises users, if the first site request by a user is to an HTTPS site and the applicable policy has SSL decryption disabled, the proxy will allow the user anonymously until the user browses to an HTTP or a decrypted HTTPS site and the user is authenticated.
Authentication for roaming and remote users
Roaming user requests to sites that use cross-origin resource sharing (CORS) may be blocked. These sites normally do not send cookies so the correct policy cannot be determined when cookie-based authentication is used.
For sites that use CORS, any cross-origin resource domains that are requested can be added as Proxy Bypass destinations to avoid the issue.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
End User Single Sign-On for Forcepoint Web Security Cloud : Limitations and recommendations
Copyright 2022 Forcepoint. All rights reserved.