To configure user authentication
Steps
-
Under Authentication Settings, define when to authenticate.
- Select Always authenticate users on first access to force all users of this policy (whose source IP address or appliance is configured on the Connections tab) to identify or authenticate themselves to proceed. If they do not, they are unable to use the cloud service.
- Select Only authenticate when if you want to use authentication only if either of the following is true:
- Users are accessing the web from an unknown IP address.
In this case, if web endpoint software or single sign-on is not available, the user receives the service-wide Welcome page. Users must log on to allow the correct policy to be applied.
- The requested site is in a category or has a user or group exception that requires authentication.
- Users are accessing the web from an unknown IP address.
-
Select the authentication methods you wish to use.
If you do not select any authentication methods, when users try to access a website, they are presented with a basic authentication dialog into which they must enter their cloud logon credentials to proceed.
The cloud service provides the following options for identifying end users transparently:
- Select Endpoint to use web endpoint software, which is installed on client machines to provide transparent authentication, enforce use of web policies, and pass authentication details to the cloud-based service. See Configure Endpoint settings.
- Select Single sign-on to use clientless transparent authentication via a supported identity provider. See Configure End User Single Sign-On
settings.
If you do not deploy web endpoint software or use single sign-on, the cloud service can use one of the following methods to identify users transparently or manually when they connect to the Internet.
- Select NTLM transparent identification to identify users in this policy with their NTLM credentials. Then, select the NTLM registration page or use
the default setting. See NTLM identification and NTLM registration.
NTLM transparent identification is also used as a fallback if either the web endpoint or single sign-on fails.
Note: NTLM transparent identification is not valid for remote users (connecting from unknown IP addresses). Such users must always authenticate with the web endpoint, single sign-on, or a valid email address and password. - Select Secure form-based authentication to display a logon form to the end user. When the user enters their cloud credentials, they are sent over a
secure connection for authentication.
If the users have not previously registered to use the service, they can do so by clicking Register. This takes them into the registration process. See End Users tab for further details.
Note that manual authentication is always used if none of the above methods is available.
- Select Welcome page to show a configurable welcome page to end users prior to the basic authentication dialog box, if their browser supports it. See Pre-logon welcome page.
- If you have selected single sign-on or secure form authentication, set a Session timeout period to specify the time interval after which a user’s login and password are revalidated. See Session timeout.
- Click Save.