This will occur if:
Fireglass Web Isolation (FWI)
This is happening due to how server mode authentication works. On first accessing the URL, the user is redirected to the gateway and then back to the original domain, while also setting a cookie which is used as an indicator that the user has been authenticated.
On URLs that are part of the public suffix list, the browser will block any attempt to set a cookie. When the user is redirected back to the original domain, they do not send a cookie signaling that they are authenticated, and so they are again redirected to the gateway to authenticate. This redirect loop eventually results in a browser error.
SAML will have an identical problem, with a different order of redirects.
For any URL that is in the public suffix list, you will need to either PAC bypass, or bypass authentication for the URL, as the cookie limitation is happening at the browser level.