Authentication decryption
When single sign-on is enabled for an account, the cloud service performs authentication decryption by default for HTTPS traffic, regardless of whether SSL decryption is enabled in the policy. This is required in order to identify users.
Consequently, customers must download the Forcepoint root certificate and install it on all client machines that will use single sign-on. This ensures that end users browsing to HTTPS sites can be authenticated seamlessly via your identity provider. If the certificate is not installed, users will see a browser error stating that the site certificate is not valid.