The steps in the SSO process depend on whether the user's credentials are submitted to the cloud application directly (non-proxy mode) or through Secure Web Gateway (proxy or inline mode).
In proxy and non-proxy modes, Secure Web Gateway authenticates the user, then presents the launchpad. The launchpad displays icons corresponding to the cloud applications the user is allowed to access. The SSO process appears the same to the user in both modes:
- From a web browser on a client of Secure Web Gateway, the user requests a launchpad.
- After authenticating the user, Secure Web Gateway sends a launchpad.
- To open an application, the user clicks the icon corresponding to the application on the launchpad.
- Secure Web Gateway sends a logon form to the user.
- If requesting access for the first time, the user is prompted for credentials, which the user provides and submits to Secure Web Gateway. If requesting access for a second or later time, the logon form is automatically filled with the user's credentials and submitted to Secure Web Gateway.
- If the credentials are valid, the user is allowed SSO access to the cloud application.
In proxy mode, Secure Web Gateway forwards the user's credentials to the cloud application.
When single sign-on takes place in proxy mode, Secure Web Gateway can provide additional functionality that is not available in non-proxy mode:
- Encrypted password — The password is encrypted and hidden from the client computer.
In non-proxy mode, the user's browser forwards the credentials to the cloud application.
NOTE: When single sign-on takes place in non-proxy mode, Secure Web Gateway functions as a web server. When configuring your Domain Name Service and all SSO settings, you must use the IP address of the Secure Web Gateway appliance in place of a host name.