Cloud SWG setup with SAML authentication for all users.

Problem occurs independent of whether IP or Cookie based surrogates are enabled in the authentication policy.

Microsoft ADFS server acting as SAML Identity Provider, but issue can exist with any Identity Provider.

When users access a Web site via Cloud SWG, the host is correctly redirected to the IDP server where the authentication completes and SSO to Cloud SWG is successful. If the same user tries the IDP initiated approach instead i.e. they access the following URL on the ADFS server - /adfs/ls/idpinitiatedsignon.htm - and select the Cloud SWG SAML SP, the user gets the following error message rendered on the browser:

Microsoft ADFS.

SAML Authentication.

All browsers.

Any Cloud SWG access method using SAML.

Cloud SWG mandates that users login using the SP initiated approach. There is no support for the IDP initiated approach.

The reason the expiration message is returned is that WSS SP cannot map the assertion response to a corresponding Authentication request, and assumes an error.  

Make sure that all users access Cloud SWG via the SP initiated URL i.e. by simply making sure initial request goes to the Cloud Proxy and not the SAML Identity Provider.