The steps in the SSO process depend on whether the user's credentials are submitted to the cloud application directly (non-proxy mode) or through Web Gateway (proxy or inline mode).
In proxy and non-proxy modes, Web Gateway authenticates the user, then presents the launchpad. The launchpad displays icons corresponding to the cloud applications the user is allowed to access. The SSO process appears the same to the user in both modes:
- From a web browser on a client of Web Gateway, the user requests a launchpad.
- After authenticating the user, Web Gateway sends a launchpad.
- To open an application, the user clicks the icon corresponding to the application on the launchpad.
- Web Gateway sends a logon form to the user.
- If requesting access for the first time, the user is prompted for credentials, which the user provides and submits to Web Gateway. If requesting access for a second or later time, the logon form is automatically filled with the user's credentials and submitted to Web Gateway.
- If the credentials are valid, the user is allowed SSO access to the cloud application.
In proxy mode, Web Gateway forwards the user's credentials to the cloud application.
When single sign-on takes place in proxy mode, Web Gateway can provide additional functionality that is not available in non-proxy mode:
- Encrypted password — The password is encrypted and hidden from the client computer.
In non-proxy mode, the user's browser forwards the credentials to the cloud application.
NOTE: When single sign-on takes place in non-proxy mode, Web Gateway functions as a web server. When configuring your Domain Name Service and all SSO settings, you must use the IP address of the Web Gateway appliance in place of a host name.