About Authentication

When configuring authentication, you have two main choices: bypass authentication or authenticate using selected options.

If you choose to bypass authentication, web traffic is filtered by the appliance’s Default Policy rules, or Additional Policies that are based on IP addresses and IP ranges.

If instead you choose to turn on authentication, you can select one or both of the following options:

  • Single Sign On: Automatically authenticates with the credentials of the currently logged on user. You can configure Single Sign On to process the credentials without user interaction.
  • Captive Portal: Allows access through a special web page, where users can log in. When enabled, users are automatically redirected to this page if Single Sign On fails or if Single Sign On is turned off. You can configure the Captive Portal feature to authenticate users and devices that cannot authenticate through Single Sign On. If "Allow access" is also turned on, a guest login link is displayed on the portal page.

    The login page itself is customizable. For more information, see “Notification Page Options.”

You can also configure how to manage access if authentication fails for Single Sign On or Captive Portal. You can either block access, or allow access using the appliance’s IP-based policy rules. The results vary, depending on the combination of selected options.

At the very least, you must select either Single Sign On or Captive Portal. The appliance does not permit you to save the settings unless one or both of the options is selected. If both are enabled, the appliance will first attempt to authenticate with Single Sign On.

In many cases, it will be sufficient to accept the factory settings on the Default Settings tab of the System: Authentication page. On a newly installed appliance, both Single Sign On and Captive Portal are enabled. On authentication failure, the default is to Allow access.

The settings that you configure on the Default Settings tab will apply to all users, unless you specify authentication exceptions on the Profiles tab.

Authentication Profiles

“Authentication profiles” reference “connection profiles” that apply a different form of authentication to specified connection sources (IP addresses, devices, or client applications). For example, you may want to exempt certain connection sources from the main type of authentication you have configured on the Default Settings tab.

On the Profiles tab, you can create authentication profiles. Using the Authentication Profile Editor, you can configure each authentication profile to:

  • apply to all connections, or only to selected connection profiles. (Connection profiles must be created using the Connection Profile Editor on the System: Connection Profiles page.)
  • apply to all destination sites, or only to specified sites.
  • bypass authentication and apply IP-based policy rules, or authenticate using Single Sign On and/or Captive Portal.