User authentication and group policies

You can configure and enable user authentication in ETP to allow specific users and groups access to websites, URLs, or web applications in your enterprise. Enabling authentication also allows you to view user and group information in activity reports.

To set up authentication, you need to also configure these features:

  • Authentication mode. Setting where you enable or disable authentication. You can also make authentication optional. With the optional setting, users can authenticate or skip authentication for each browser session. For more information, see Authentication policy.

  • Identity providers. Service that authenticates users and expands their group membership. You can configure a third-party IdP such as Okta and Active Directory Federation Services (AD FS). If you require authentication or make authentication optional, you need to select an IdP in the policy configuration. For more information, see About identity providers.

  • Directories. Directory service that your enterprise uses to manage users and user groups. You need to associate a directory service to an IdP. These directory services are supported:

    • Active Directory
    • Lightweight Directory Access Protocol
    • Active Directory Federation Services

    For more information, see About directories.

  • Identity connectors. An identity connector is a virtual appliance that you download in ETP and deploy behind the firewall in your data centers or hybrid cloud environments. Identity connectors dial-out to ​Akamai​ and enable connectivity to allow ETP to synchronize with your organization's AD or LDAP servers that are located inside your enterprise data center. For more information, see About identity connectors.

📘

You can enable authentication and configure these features when ETP Proxy is enabled for the full web proxy and when using ETP Client 3.0.4 or later. ETP proxy acts as a full web proxy that performs URL filtering and anti-malware scanning in your current network configuration. If ETP Proxy is enabled to scan only risky traffic, these features do not apply. For more information, see Full web proxy.

After a user successfully authenticates, a user does not need to provide their credentials to access content for the length of their user session. You define the length of the user session in an IdP configuration. If you add a user to a group that's granted access and the user authenticates, it may take up to 15 minutes before the user session is saved.

Note these considerations:

  • If your organization is also licensed for Enterprise Application Access (EAA), you can use your existing IdP configuration in ETP. In this situation, make sure you manage the IdP in EAA. Do not modify these settings in the ETP UI to avoid conflicting configuration changes.

  • The Cloud Directory is intended for testing purposes only. Do not use the Cloud Directory to store user and group information for production end-user traffic.

  • You can create separate IdP for your production, staging, or testing environments. This allows you to modify IdP settings for testing without affecting existing production traffic.

Authentication policy

You can require that users authenticate before they access a website, URL, or even a web application. These modes are available:

  • Require. Indicates that authentication is required. When you select this mode, you need to select an IdP. Users cannot access a website without authentication.

  • Optional. Indicates that the user can authenticate or skip authentication. This mode allows users to access websites without needing to log in. This is useful to reduce service impact of locked accounts or when users forget their two-factor authentication token. With this mode, users can access all websites allowed by the policy.

  • None. Indicates that authentication is not required. If no threat is detected by ETP, the user is granted access to the requested website or URL.

If authentication is required or optional, you need to associate an IdP to the policy. An IdP uses a directory service to manage users. This information allows ETP to grant access to your users. The IdP also includes authentication requirements that are enforced when users authenticate, such as factors of authentication for multi-factor authentication (MFA), the lifetime of an authenticated session, and more. For more information, see About identity providers.

You can restrict certain types of access to specific users or groups. For example, you can:

  • Allow only specific users or groups to access websites in a custom list.

  • Exempt uploads made by specific users or groups from DLP scanning. For more information on DLP, see Data loss prevention.

  • Allow specific users or groups to access websites or web applications based on risk level, category, category operation, application, and application operation. For more information, see Application visibility and control.

Require authentication to access a website or web application

Before you begin

Make sure a directory and an IdP are configured. For more information, see Add a directory and Add an identity provider.

You can enable an authentication mode in a policy to require that users authenticate before they access a website, URL, or web application. If you select the Require or Optional authentication mode settings, you need to select an IdP.

With the Optional mode, users can skip authentication. However, access is not guaranteed when the user skips authentication. For example, if the Social Media category is blocked to every user except for users in Group A, the users in Group A can access social media websites that are part of this category. To access a social media website, users in Group A can authenticate or skip authentication. If the user skips authentication, they are assigned the most strict policy action. In this case, the user who skipped authentication is blocked from accessing the social media website because ETP is unable to confirm that the user is part of Group A.

To require authentication to access a website or web application:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. Display the policy where you want to enable an authentication mode.

  3. Click the Settings tab.

  4. In the Authentication Mode menu, select Require. Or to allow users to skip authentication, select Optional.

  5. In the Identity Provider field, select the IdP to use for authentication.

  6. Click Save and deploy your changes.

Next steps

Grant access to specific users or groups

Before you begin

  1. Make sure a directory and IdP is configured. For more information, see Add a directory and Add an identity provider.

  2. Require authentication to access a blocked website or web application. See Require authentication to access a website or web application.

When you select the block action for access control, you define the users or groups that are exempt from the block action. For more information, see Application visibility and control.

To define user and group access to websites and web applications:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. Go to the policy where you want to grant specific users or groups access to a blocked AUP category.

  3. Click the edit icon.

  4. Click the Access Control tab.

  5. Click the AUP and Shadow IT tab.

  6. Go to the blocked risk level, category, category operation, application, or application operation that you want specific users or groups to access.

  7. To grant access to specific groups:

    1. Click the link icon.

    2. Click the Groups tab.

    3. In the text field, enter the group name. As you enter a group name, a list of groups appear in a drop-down list. This includes imported groups, organizational units (OUs), and any overlay groups that were added to ETP.

      If the group name you provide does not appear in the drop-down list, you can add the group. If you add a group, you need to also add the group to the relevant directory for the group to authenticate and gain access.

    4. Select the group or groups from the list.

    5. Click Associate.

  8. To grant access to specific users:

    1. Click the link icon.

    2. Click the Users tab.

    3. In the text field, enter the user's unique user ID.

      If the user does not exist in the directory associated with the policy IdP, you can enter a unique ID for the user you want to add and click the add button. This adds the unique ID to the list. You need to also add the user to the relevant directory for the user to authenticate and gain access. The user ID that's provided here is the ID the user enters to authenticate.

      If you need to find a user ID to enter into this field, you can filter activity in the Proxy Activity report (Monitoring > Activity > Proxy Activity) by User ID.

    4. Select the user or users from the list.

    5. Click Associate.

  9. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions, see Deploy configuration changes.


Did this page help you?