Troubleshooting

This section outlines some common issues with single sign-on, with suggested solutions.

Problem Suggested solutions
The identity provider login page is not displayed.

Check that the IDP’s hostname or IP address can be reached.

Check that the user’s PAC file contains port 8006 (or the dedicated port for your account). If you are using a custom PAC file, this must be manually edited to include the relevant SSO port.

Check that the Always authenticate users on first access setting is enabled in your policy.

If the authentication cookie is already set, the page is not displayed. Clear your browser’s cookies.
A certificate error is shown when browsing to HTTPS sites. Ensure you have installed the Forcepoint root certificate on your client machine.
“Failed Authentication” message is displayed.

The single sign-on error page is shown if a user cannot be authenticated by your IDP. The page displays a brief status message (for example, “Reason: Invalid response from authentication gateway”).

To help diagnose the problem, display the HTML source of the page to access more detailed technical information taken from the IDP’s SAML response. This information will be useful if you need to contact Technical Support. See Failed Authentication page.
Fallback authentication link is not visible on the SSO redirect page If you are using dedicated ports, this is expected behavior. Authentication fallback is not supported for dedicated ports.

If you are still experiencing issues, contact Forcepoint Technical Support. Ensure you have gathered the following information:

  • Error page HTML

    If you receive a “Failed Authentication” page, save the HTML source. This contains technical information from your IDP on the nature of the authentication issue. See Failed Authentication page.

  • IdP configuration details/screenshots

    If possible, provide screenshots of your IDP configuration.

  • IdP event logs

    If applicable, obtain the event logs from your identity provider.

  • HAR file

    To help diagnose network issues, you can generate a .HAR (HTTP Archive) file to log your browser’s interaction with a particular website. HAR files can be
    generated using Google Chrome’s Developer Tools, as well as other software packages.

  • Packet captures

    Capture your network traffic using a package such as Wireshark or FiddlerCap.