Introduction

To apply policies to users and groups, web protection software must be able to identify the user making a request, given the originating IP address. Various identification and authentication methods are available for the on-premises software:

A web protection transparent identification agent works in the background to communicate with a directory service and identify users (see Identifying on-premises users transparently).
Web protection software prompts users for their network credentials, requiring them to log on when they open a web browser (see Manual authentication).
(Forcepoint Web Security only) Content Gateway uses one or more several supported methods (including Integrated Windows Authentication, Legacy NTLM, LDAP, and RADIUS) to authenticate user requests (see the Content Gateway Manager Help).
This option may be used in conjunction with a transparent identification agent to provide a fallback method for applying user-based policies when user authentication is unavailable.
(Forcepoint URL Filtering only) A third-party integration product identifies or authenticates users, and then passes user information to web protection software.
A list of supported integration products is available in the Deployment and Installation Center.

With the Hybrid Module, the hybrid service must likewise be able to identify or authentication users to apply user and group based policies.

A component called Directory Agent collects the information used to identify users (see Identification and authentication of hybrid users).
Web endpoint client software is installed on client machines to provide transparent authentication, enforce use of the hybrid service, and pass authentication details to the hybrid service.
Single sign-on provides authentication using an identity provider that communicates with your directory service.
Ping Federate and Microsoft Active Directory Federation Services (AD FS), as well as any other SAML 2.0 Compliant Identity Provider (added for v8.5.5), are supported.