search cancel

Create an authentication exemption on Cloud SWG (formerly known as WSS)


Article ID: 171512


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Creating an "Auth Exemption" for specific users, destinations, with or without sources Cloud SWG

Captive Portal or SAML authentication methods, which are redirection-based methods, display a separate window for users to enter their credentials to continue. Some network issues might prevent the client systems from displaying these windows.

  • CORS-related issues.
  • Authentication looping with cloud-based IdP servers.
  • The source device (for example, a legacy server) is not compatible with redirection-based authentication.
  • A web application API call is not compatible with redirection-based authentication.

To mitigate these issues add destinations and sources to be exempted from authorization.


  1. In the Cloud SWG portal, select Identity > Authentication Policy
  2. Under the Global Exemptions Section, Click " + Auth Exemption". The portal displays the Auth: New Exemption Rule

Select a Source:

  • Click " + Add Sources" 
  • Select the desired source from one or more of the following (IP/Subnet, Location, WSS Agents, Mobile Devices, etc)
  • Click Save

To Add a Destination: 

  • Click " + Add Destination" 
  • Select the desired destination from one or more of the following (Domain/URL, IP/Subnet, Web Application, Category, etc)
  • Click Save

      3. Once Source and Destination have been set, click "Add Rule"

      4. You can add additional rules. When satisfied, click Activate

For additional information on exempting traffic from authentication, please visit our web guide on the topic by clicking here.

Note: The order of the authentication rules does not make a difference, as it parses all until it hits a rule and enforces it. Any order of the list is based on when it was created first. If the list for aesthetics needs to be reorganized, delete the list and create the rules in the preferred order.