SAML authentication is enabled under your Cloud SWG (WSS) account.
Some websites or applications cannot complete SAML authentication causing various types of errors.
Note: This article is only relevant to an Explicit Proxy connection method using cookie surrogate.
Cloud SWG
SAML
Explicit Proxy with cookie surrogate
Cloud SWG uses a "surrogate" value, a cookie on the browser, to reduce the authentication process on every HTTP connection.
Once a user is successfully authenticated with Cloud SWG, a cookie surrogate is provided (Explicit Proxy access method).
Cookie surrogates are valid for the time defined in the Cloud SWG portal. The default is the lifetime of the browser session or 24 hours, whichever comes first. To apply the cookie to the domain, Cloud SWG must be able to redirect the client.
After the surrogate expires, the user must complete a full authentication sequence to revalidate the user.
The authentication process is not always successful. Reasons include, but are not limited to, issues where the client does not:
To mitigate this issue, Cloud SWG only redirects a user for SAML authentication if the request came from a Mozilla or Mozilla-compatible browser (e.g. Internet Explorer, Firefox, etc.).
Symantec has noted that several clients spoof the User Agent, yet clients are still unable to comply with the required redirect and cookie setting.
Symantec has listed some specific User Agents and URLs of known User Agents, and destinations that fail SAML authentication.
Domain/URL |
Comment |
officeimg.vo.msecnd.net |
Microsoft office help documentation does not support SAML redirect or cookies. |
office.microsoft.com |
Microsoft office help documentation does not support SAML redirect or cookies. |
open.bbci.co.uk |
Sports results from the BBC homepage have issues with AJAX query and the SAML redirect response. |
code.jquery.com |
Microsoft Visual Studio external requests. |
ajax.googleapis.com |
Microsoft Visual Studio external requests. |
cdnjs.cloudflare.com |
Microsoft Visual Studio external requests. |
adobe.com |
Adobe updater and installer do not expect SAML authentication. |
w3.airbusdoc.com |
Airbus support portal. Loading external content fails with SAML enabled. |
activate.netsupportsoftware.com |
Netsupport activation and registration URL. Activation fails with SAML enabled. |
clientconfig.microsoftonline-p |
Required for MS Lync activation after the first installation. |
cloudfront.net |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
blogspot.com |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
blogspot.co.uk |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
dilbert.com |
Embedded images (hot linked) do not follow the SAML redirect. |
geo.kaspersky.com |
Kaspersky Anti-Virus updates. |
ftp.dell.com/Published/Data |
Dell System Analysis Software. |
googleapis.com |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
githubusercontent.com |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
fastly.net |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
mt0.google.com |
JSON requests from the browser embedded Google maps application fails to present the SAML session cookie. This results in a redirect loop and failure to load the map. |
googleusercontent.com |
Google Chrome Web Store - not following redirects to SAML SP. |
hp5.a.woopic.com |
Browser does not provide SAML cookie for TTF and WOOF (Icon files) loaded through CSS. |
c64.assets-yammer.com |
Browser does not POST the assertion to this domain. |
layout.eurosport.com |
Browser does not provide SAML cookie for TTF and WOOF (Icon files) loaded through CSS. |
www.google.com/maps/vt |
XML query for map data - not providing SAML cookie within Google Maps preventing map data from loading. |
googleusercontent.com |
Chrome Webstore - browser not providing SAML cookie for some content. |
ggpht.com |
Google Street View not providing SAML cookie in some transactions to this domain. |
fbstatic-a.akamaihd.net/rsrc.php |
CSS required as part of Facebook log-in, not providing SAML session cookie. |
cdn-files.deezer.com |
Icon files failing to load (now resolved as part of the below policy). |
capen.daveslab.co.uk |
Content Security Policy not providing SAML cookie. Required for prizes.rednoseday.com. |
payments.daveslab.co.uk |
Precautionary, to allow payments to process for charity website prizes.rednoseday.com. |
khms0.google.com |
Google satellite view. Browser not providing SAML session cookie for this domain. |
khms1.google.com |
Google satellite view. Browser not providing SAML session cookie for this domain. |
khms2.google.com |
Google satellite view. Browser not providing SAML session cookie for this domain. |
khms3.google.com |
Google satellite view. Browser not providing SAML session cookie for this domain. |
www.heroku.com |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
herokuapp.com |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
api.mongolab.com |
Content-Security-Policy (Cross-Origin Resource Sharing) - prevents the SAML authentication cookie from being set. |
fpdownload2.macromedia.com |
Macromedia Flash updates get stuck in an authentication loop. |
amazonaws.com |
Subdomain Effective TLDs. |
amazonaws.cn |
Subdomain Effective TLDs. |
intropdf.com |
The PDF reader fails to send a SAML assertion to the SP after authenticating to the IDP. |
tile.openstreetmap.org |
OCS uses CORS. |
www.google.com/recaptcha/api |
IDaaS IDP uses these resources for IDP authentication. |
www.google.com/js |
IDaaS IDP uses these resources for IDP authentication. |
install.nitropdf.com |
NitroPDF is a third-party PDF reader and does not follow the redirect back to the SP after IDP authentication. |
officeapps.live.com |
Required for inserting images into Office Outlook 2013. |
apps.skype.com |
Required for Skype. |
mm.bing.net |
Attaching images to Outlook emails fails when SAML is enabled. |
r1.res.office365.com |
Viewing Action items in Outlook emails failed with SAML enabled. |
www.google.com/_/chrome/ |
Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST". |
www.google.co.uk/_/chrome/ |
Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST". |
www.google.fr/_/chrome/ |
Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST". |
www.google.be/_/chrome/ |
Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST". |
www.google.nl/_/chrome/ |
Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST". |
assets-yammer.com |
Browser does not POST the assertion to this domain. |
pack.google.com |
Google spellchecker fails to complete SAML transaction. |
seb.se |
Effective TLD (cannot set a domain-wide cookie for sub-domains). |
mappy.net |
Map objects don't follow the redirect to validate SAML cookie. |
tile.openstreetmap.org |
Map objects don't follow the redirect to validate SAML cookie. |
openlayers.org |
Also used by openstreetmap. Objects don't follow the redirect to validate SAML cookie. |
vocollectacademy.com |
Unable to load PPT files for training content. |
application5.globaleservice.com |
Customer-specific request. |
msecnd.net |
Content delivery network |
akadns.net |
Akamai content |
iecvlist.microsoft.com |
Microsoft updates |
ie9cvlist.ie.microsoft.com |
Microsoft updates |
rssinclude.com |
RSS feeds |
gstatic.com |
Google static content |
c.microsoft.com |
Microsoft updates |
blob.core.windows.net |
SAML transaction incomplete |
optimize.webtrends.com |
SAML transaction incomplete |
windowsupdate.com |
Windows update fails to complete SAML transaction |
brunswick.streaming.mediaservices.windows.net |
SAML transaction incomplete |
amp.azure.net |
SAML transaction incomplete |
supermapcloud.com |
SAML transaction incomplete |
gb.symcd.com |
SAML transaction incomplete |
maps.google.com/maps/api |
Google Maps API not completing SAML |
ccu.viamichelin.com |
SAML Assertion are not posted to IDP |
cloudapp.net |
Effective TLD |
laskurit.net |
Embedded images fail to parse the SAML redirect when they are the first HTTP request |
captive.apple.com |
Captive portal detection from Apple devices |
www.msftncsi.com |
Microsofts Network Connection Status Indicator doesn't complete SAML transaction. |
epaper.paris-normandie.fr |
Does not send SAML cookie |
mail-attachment.googleusercontent.com |
Does not send SAML cookie |
kmapi.dotmobil.com |
Does not send SAML cookie |
milibris.com |
Does not send SAML cookie |
The following User Agents, Headers, and File Extensions are also known to fail SAML authentication. This list can be used as a basis for crafting your own lists.
Note: For privacy reasons, this list does not contain some customer-specific domains or User-Agents.
Caution: With the addition of the Symantec Authentication Policy controls, Symantec no longer proactively maintains this list. Refer to Exempt From Authentication for further information on how to bypass domains from authentication.