Authentication policy

You can require that users authenticate before they access a website or URL for an allowed category in an acceptable use policy (AUP). To do this, select an authentication mode in a policy. These modes are available:
  • Require. Indicates that authentication is required. When you select this mode, you must select an identity provider.
  • Optional. Indicates that the user can authenticate or skip authentication. This allows users to access websites without needing to login. This is useful to reduce service impact of locked accounts or when users forget their two-factor authentication token. If no threat is detected by ETP, the user is granted access to the website or URL. When you select this mode, you must also select an identity provider.
  • None. Indicates that authentication is not required. If no threat is detected by ETP, the user is granted access to the requested website or URL.

If authentication is required or optional, you must associate an identity provider to the policy. An identity provider uses a directory service to manage users. This information allows ETP to grant access to your users. The identity provider also includes authentication requirements that are enforced when users authenticate, such as factors of authentication for multi-factor authentication, the lifetime of an authenticated session, and more. For more information, see Identity providers.

These authentication modes go into effect when any of these AUP configurations apply.
  • The block action is not selected for an AUP category or subcategory. If no threat is detected by ETP Proxy, authenticated users are granted access.
  • Specific users or groups are selected as exceptions to a blocked AUP category or subcategory. This means that while websites in a category are blocked to most users, the users or groups identified as exceptions to this block can access websites in that category or subcategory. To grant a user access to a blocked AUP category or subcategory, see Grant specific users or groups access to an AUP category or subcategory

If there are servers or other headless computers that you want to exempt from authentication, you can enter the internal IP addresses of these machines in a location configuration. A location configuration includes a Bypass IPs area where you enter these IP addresses. The IP addresses that you provide in this area bypass authentication when authentication is enabled in an associated policy. For more information, see Configure an authentication exception.