Authentication for roaming or remote users

When roaming or remote users first connect from an unknown IP address, the cloud service must identify which account the user belongs to. In a default configuration, users connecting from an unknown IP address are required to identify themselves by entering their email address in a login form. This allows the proxy to match the roaming user to an account, in order to use the correct identity provider.

When the user submits a valid email address, the corresponding account is identified, and identity provider details are used to generate an authentication request and redirect the user to the provider for authentication. (If a user enters an unrecognized email address, an error will be displayed on the form and they will have to retry.)

Users are typically only required to carry out this step once; following a successful authentication, a long-lived cookie containing the user’s account ID is set, allowing the service to recognize the user’s account without user interaction. This step will be required again if the user connects using a different browser, clears the browser’s cookies, or does not re-authenticate for a long period, causing the cookie to expire. The default lifetime duration for the account identifier cookie is 6 months.

Note: dedicated ports (limited availability)

For organizations that do not wish their roaming users to enter an email address upon first login, Forcepoint can configure a dedicated port for SSO authentication. This allows the service to identify the account for roaming users without requiring them to provide an email address.

The use of a dedicated port for SSO is a limited availability feature. Please contact Technical Support if you require further information about this option.