Example Deployment (With Client Certs)

This topic describes a series of screenshots based on the policy created above when a user attempts to access their office 365 email through the client app (in this case Outlook 2016) or a web browser.

The process works as follows: The app (client app or web browser) receives a logon request and sends the check to Forcepoint ONE SSE as the setup IdP as seen in step 5. If an external IdP was setup in Forcepoint ONE SSE (see this admin guide page for more information) then Forcepoint ONE SSE will pass the user on to their external IdP (in this example it is ADFS) for authentication. Once the users credentials have been verified, Forcepoint ONE SSE will then request a client cert check to verify if the device is managed or unmanaged.

Steps

  1. A user launches Outlook for the first time and enters their credentials as normal to begin the account configuration process. Outlook initiates SAML SSO to authenticate the user. The user is passed to Forcepoint ONE SSE which directs them to the configured external IdP for authentication.

  2. If the user has entered their valid credentials, Forcepoint ONE SSE will then prompt them to present a valid client cert. If the user is able to present a valid client cert they will be successfully connected to Outlook.

  3. If they are unable to present a valid cert they will be denied access.

  4. Contrast this to logging into the Web App from any device (either managed or unmanaged). After the user navigates to the Office 365 login portal and enters their username their browser will redirect them to their IdP for authentication:

  5. After they have entered their correct credentials, the user is prompted to present a valid client cert. Based on the policy rules applied in step 4, the client cert check is optional for users (authentication is not blocked if no cert is presented). Forcepoint ONE SSE will still authenticate the user based on their credentials entered and securely connect them to the proxied office 365.

    Note: For client certificates, you will need to be running Mac Outlook 2016 version 15.38 and above.