How single sign-on works

Before you begin

The following diagram illustrates how Forcepoint authenticates users via your identity provider.

Steps

  1. The user requests a web page via the cloud proxy.
  2. The cloud service identifies the user’s account.
    1. For local users, this is based on the user’s IP address.
    2. For roaming users, this typically requires the user to enter an email address.
  3. The service redirects the user’s browser to the identity provider configured for the account.
  4. The user’s browser makes an authentication request to the identity provider.
  5. The identity provider authenticates the user.
  6. An authentication token is posted to the user’s browser.
  7. The token is forwarded to the Forcepoint cloud service.
  8. The token is validated against the identity provider’s metadata, and the user is identified. Policy settings for the user are checked, and the request is permitted or blocked.
  9. The cloud service redirects the user’s browser back to the requested URL.
  10. Account identification and authentication cookies are set in the user’s browser. The next time the user accesses the service, the user’s account is identified and the session authenticated via the cookie, without redirecting to the IdP.
  11. The browser requests the URL for the second time.
  12. The URL is retrieved and served to the user.
    Note:

    The cloud service caches authentication sessions and sets a cookie in the user’s browser upon successful authentication. Steps 3-10 above are performed only once per authenticated session.

    Users will only be re-authenticated if they clear their browser cookies, use a different browser, or do not re- authenticate for the session timeout duration, causing the cookie to expire. The session timeout duration is defined on the Access Control tab of your policy.

Next steps

If the user’s policy does not force authentication for requests with known IP addresses, the authentication process for local users happens without user interaction.

If the user’s policy is set to Always authenticate users on first access, or if the user is requesting a category that requires authentication, the user receives the identity provider’s sign in page. The sign in page below is an example from Microsoft AD FS. (This page can usually be customized via your identity provider’s management console)

After entering valid credentials, the user is redirected to the requested website.