Limitations and recommendations
The following table lists limitations and recommendations for using single sign-on.
Category | Limitation/recommendation |
---|---|
Supported clients |
Single sign-on is supported only for web browsers. Other types of client cannot authenticate in this way. In order for other clients to work with the proxy service, you must enable authentication decryption bypass by user agent or destination. This is set on the page.Note that authentication decryption bypass is not supported for roaming users. |
Forcepoint root certificate |
When single sign-on is enabled, the cloud service performs authentication decryption for HTTPS sites by default in order to identify users. Customers must download the Forcepoint root certificate and install it on all client machines that will use this method of authentication. This ensures that end users browsing to HTTPS sites can be authenticated seamlessly. If the certificate is not installed, users will see a browser error stating that the site certificate is not valid. Note that this applies to SSO over tunneling only if decryption is explicitly enabled in the policy. |
SSLdecryption bypass: local users |
If you have added categories to the SSL Decryption Bypass list via , users browsing HTTPS sites in these categories cannot be authenticated via your IdP. Users will see the manual authentication welcome page.Note that this does not apply to SSO over tunneling. |
Authentication decryption: roaming users |
For roaming users, the following authentication decryption settings are not supported:
See Supported decryption and proxy bypass settings. |
Auto-provisioning | Auto-provisioning is not supported for roaming users identifying via the account identification page. |
Authentication fallback for dedicated ports |
Authentication fallback is not supported when using dedicated ports. See Authentication fallback. Note that this does not apply to SSO over tunneling. |
SSO over tunneling | For on premises users, if the first site request by a user is to an HTTPS site and the applicable policy has SSL decryption disabled, the proxy will allow the user anonymously until the user browses to an HTTP or a decrypted HTTPS site and the user is authenticated. |
Authentication for roaming and remote users |
Roaming user requests to sites that use cross-origin resource sharing (CORS) may be blocked. These sites normally do not send cookies so the correct policy cannot be determined when cookie-based authentication is used. For sites that use CORS, any cross-origin resource domains that are requested can be added as Proxy Bypass destinations to avoid the issue. |