Go to the table of contents Go to the previous page Go to the next page View or print as PDF
User Identification for Policy Enforcement > Identification and authentication of hybrid users > Integrating the hybrid service with a single sign-on identity provider
Integrating the hybrid service with a single sign-on identity provider
Administrator Help | Forcepoint Web Security | v8.5.x
Single sign-on uses an identity provider to authenticate user identity, attributes, and roles with enterprise directories. All communications between components are secured.
When single sign-on is enabled and installed on your network, clients connecting to the hybrid proxy are redirected to an identity provider. The identity provider must be configured if off-site users are to be authenticated. Once single sign-on has authenticated a user against your directory service, they are directed back to the hybrid proxy and the appropriate policy is applied. Clients who have authenticated once do not then have to authenticate again for subsequent browsing sessions.
Currently, only PingFederate and Microsoft Active Directory Federation Services (AD FS) are supported as single sign-on identity providers. For information about how to deploy PingFederate, please visit their website. Visit this website for information about AD FS.
To integrate a single sign-on identity provider:
1.
On the Settings > Hybrid Configuration > Hybrid User Identification page, download and install the hybrid SSL certificate to ensure seamless authentication to HTTPS sites.
If the certificate is not installed for single sign-on users, they receive a certificate error when they browse to an HTTPS site. If they then select the "Continue to this website (not recommended)" link, they must authenticate using NTLM identification or manual authentication, depending on the settings on the Hybrid User Identification page. See Enabling hybrid HTTPS notification pages.
2.
Mark Use identity provider for single sign-on to activate single sign-on for all client machines.
 
Note 
3.
Select the Identity Provider you wish to use.
4.
5.
Under Session Timeout, define how often users' credentials are revalidated for security reasons. The default options are 1, 7, 14, or 30 days.
 
Note 
6.
Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
User Identification for Policy Enforcement > Identification and authentication of hybrid users > Integrating the hybrid service with a single sign-on identity provider
Copyright 2018 Forcepoint. All rights reserved.