Cloud SWG authentication method and surrogates selection guide
Article ID: 165551
Updated On:
Products
Issue/Introduction
You need to choose an authentication method for the Web Security Service.
Resolution
There are five main ways to authenticate users in the ThreatPulse service:
- SAML
- Captive Portal
- Roaming Captive Portal
- SSO (IP-to-User)
- HTTP Header Injection
Each authentication method is designed to fit various environments.
Below is a table of each authentication method, the surrogate type used and which access methods are supported:
| Authentication Method | Challenge based | Surrogate Type | IPsec | Explicit | WSS Agent | Proxy Forward |
| SAML | Yes | Cookie | Yes | Yes | No | No |
| Captive Portal | Yes | IP | Yes | Yes | Yes | No |
| Roaming Captive Portal | Yes | Cookie | No | Yes | No | No |
| SSO (IP-to-User) | No | IP | Yes | No | No | No |
| HTTP Header Injection | ProxySG config item | None | No | No | No | Yes |
Example: If you have virtual desktops such as a Citrix or Azure VDI environment, you would need to use SAML authentication or Roaming Captive portal because it supports cookie based surrogates. Only cookies can help differentiate between the user sessions; with all users on the host sharing the same IP address, IP surrogates cannot uniquely define the users.
For more information regarding authentication methods, see Web Security Service Access Methods.
Feedback
