Authentication policy

You can require that users authenticate before they access a website, URL, or even a web application. These modes are available:
  • Require. Indicates that authentication is required. When you select this mode, you must select an identity provider. Users cannot access a website without authentication.
  • Optional. Indicates that the user can authenticate or skip authentication. This mode allows users to access websites without needing to log in. This is useful to reduce service impact of locked accounts or when users forget their two-factor authentication token. With this mode, users can access all websites allowed by the policy.
  • None. Indicates that authentication is not required. If no threat is detected by ETP, the user is granted access to the requested website or URL.

If authentication is required or optional, you must associate an identity provider to the policy. An identity provider uses a directory service to manage users. This information allows ETP to grant access to your users. The identity provider also includes authentication requirements that are enforced when users authenticate, such as factors of authentication for multi-factor authentication, the lifetime of an authenticated session, and more. For more information, see Identity providers.

You can restrict certain types of access to specific users or groups:
  • Allow access to an AUP category for specific users or groups only. See Grant specific users or groups access to an AUP category.
  • Allow only specific users or groups to access websites in a custom list.
  • Exempt uploads made by specific users or groups from data loss prevention (DLP) scanning. For more information on DLP, see Data loss prevention.
  • If your organization is participating in the application visibility and control (AVC) beta, you can allow specific groups or users to access websites with a certain risk level, category, category operation, application, and application operation. For more information about AVC, see Application visibility and control.

If there are servers or other headless computers that you want to exempt from authentication, you can enter the internal IP addresses of these machines in a location configuration. A location configuration includes a Bypass IPs area where you enter these IP addresses. The IP addresses that you provide in this area bypass authentication when authentication is enabled in an associated policy. For more information, see Configure an authentication exception.