Limitations and recommendations

The following table lists limitations and recommendations for using single sign-on.

Category	Limitation/recommendation
Supported clients	Single sign-on is supported only for web browsers. Other types of client cannot authenticate in this way. In order for other clients to work with the proxy service, you must enable authentication decryption bypass by user agent or destination. This is set on the Web > Bypass Settings > Authentication Bypass page. Note that authentication decryption bypass is not supported for roaming users.
Forcepoint root certificate	When single sign-on is enabled, the cloud service performs authentication decryption for HTTPS sites by default in order to identify users. Customers must download the Forcepoint root certificate and install it on all client machines that will use this method of authentication. This ensures that end users browsing to HTTPS sites can be authenticated seamlessly. If the certificate is not installed, users will see a browser error stating that the site certificate is not valid. Note that this applies to SSO over tunneling only if decryption is explicitly enabled in the policy.
SSLdecryption bypass: local users	If you have added categories to the SSL Decryption Bypass list via Web > Policies > [policy name] > Web Categories > SSL Decryption Bypass, users browsing HTTPS sites in these categories cannot be authenticated via your IdP. Users will see the manual authentication welcome page. Note that this does not apply to SSO over tunneling.
Authentication decryption: roaming users	For roaming users, the following authentication decryption settings are not supported: Authentication decryption bypass Authentication bypass by user agent or hostname SSL decryption bypass See Supported decryption and proxy bypass settings.
Auto-provisioning	Auto-provisioning is not supported for roaming users identifying via the account identification page.
Authentication fallback for dedicated ports	Authentication fallback is not supported when using dedicated ports. See Authentication fallback. Note that this does not apply to SSO over tunneling.
SSO over tunneling	For on premises users, if the first site request by a user is to an HTTPS site and the applicable policy has SSL decryption disabled, the proxy will allow the user anonymously until the user browses to an HTTP or a decrypted HTTPS site and the user is authenticated.
Authentication for roaming and remote users	Roaming user requests to sites that use cross-origin resource sharing (CORS) may be blocked. These sites normally do not send cookies so the correct policy cannot be determined when cookie-based authentication is used. For sites that use CORS, any cross-origin resource domains that are requested can be added as Proxy Bypass destinations to avoid the issue.