How do I create an "Auth Exemption" for users, destinations, or sources in Cloud SWG (WSS).

Captive Portal or SAML authentication methods (redirection-based auth methods) display a separate window for users to enter their credentials to continue. Some network issues might prevent the client systems from displaying these windows: 

• CORS-related issues
• Authentication looping with cloud-based IDP servers
• The source device (for example, a legacy server) is not compatible with redirection-based authentication
• A web application API that is not compatible with redirection-based authentication

To mitigate these CORS/looping issues, add destinations (or sources) to be exempted from authentication.

1. In the Cloud SWG portal (portal.threatpulse.com), select Identity > Authentication Policy
2. Under the Global Exemptions section, click "+ Add Auth Exemption". The portal displays the Auth: New Exemption Rule

Select a Source:

• Click " + Add Sources" 
• Select the desired source from one or more of the following (IP/Subnet, Location, WSS Agents, Mobile Devices, etc)
• Click Save

To Add a Destination: 

• Click " + Add Destination" 
• Select the desired destination from one or more of the following (Domain/URL, IP/Subnet, Web Application, Category, etc)
• Click Save

      3. Once Source and Destination have been set, click "Add Rule"

      4. You can add additional rules. When satisfied, click Activate

For additional information on exempting traffic from authentication, please review: Exempt Destinations From Cloud SWG Authentication.

Note: The order of the authentication rules does not make a difference, as it parses all until it hits a rule and enforces it. Any order of the list is based on when it was created first. If the list for aesthetics needs to be reorganized, delete the list and create the rules in the preferred order.