.  How does NetOps portal and the SSO determine what IP address to block if there's a failure?  We have users that are connecting through a proxy.  Does it block based on the proxy's address or based on the forwarded address?

Here's what I am seeing in the SingleSignOnAuditLog:

Release : 20.2

Component : PERFORMANCE MANAGEMENT INTEGRATIONS

We have a class NatProxyPath we wrote that get's the user's IP using these headers in order from top to bottom.  First one to return a valid IP is the IP we use for login tracking validation/failure checks:
  "rlnclientipaddr",
  "HTTP_X_FORWARDED_FOR",
  "HTTP_CLIENT_IP",
  "WL-Proxy-Client-IP",
  "Proxy-Client-IP",
  "X-Forwarded-For"

Note: we start with the REMOTE_ADDR value as the default, in case none of these other headers are provided.