Authentication priority and overrides
You can select multiple authentication options for your end users on the
page. The options are prioritized as follows:- Forcepoint Web Security Endpoint is always used, if installed.
- If the endpoint client software is not installed or fails, single sign-on is used if both of the following are true:
- It has been deployed in your network.
- It has been selected on the Hybrid User Identification page for an end user whose requests are managed by the hybrid service.
- If neither the endpoint client software nor single sign-on is available, the end user is authenticated via secure form-based authentication, if both of the following are true:
- It has been selected on the Hybrid User Identification page.
- The user agent or application requesting authentication supports form-based authentication via an HTML page.
- Applications that do not support form-based authentication use either NTLM identification or basic authentication. Basic authentication is always used if Always authenticate users on first access is selected and none of the other options are either selected or available.
You can also enforce a specific authentication option for certain end users, for example all users in a branch office, by deploying a PAC file URL in the following format:
http://hybrid-web.global.blackspider.com:8082/proxy.pac?a=X
The a= parameter controls the authentication option, and X can be one of the following:
Parameter | Description |
---|---|
a=n | NTLM identification or basic authentication is used, depending on the policy settings and the browser or application capability. |
a=f | Authentication is performed using secure form-based authentication. |