"Authentication_SAML_Expired_Request" error message returned when accessing Cloud SWG
search cancel

"Authentication_SAML_Expired_Request" error message returned when accessing Cloud SWG

book

Article ID: 195447

calendar_today

Updated On: 05-09-2025

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Cloud SWG setup with SAML authentication for all users.

Problem occurs independent of whether IP or Cookie based surrogates are enabled in the authentication policy.

Microsoft ADFS server acting as SAML Identity Provider, but issue can exist with any Identity Provider.

When users access a Web site via Cloud SWG, the host is correctly redirected to the IDP server where the authentication completes and SSO to Cloud SWG is successful. If the same user tries the IDP initiated approach instead i.e. they access the following URL on the ADFS server - /adfs/ls/idpinitiatedsignon.htm - and select the Cloud SWG SAML SP, the user gets the following error message rendered on the browser:

Environment

Microsoft ADFS.

SAML Authentication.

All browsers.

Any Cloud SWG access method using SAML.

Cause

Cloud SWG mandates that users login using the SP initiated approach. There is no support for the IDP initiated approach.

The reason the expiration message is returned is that WSS SP cannot map the assertion response to a corresponding Authentication request, and assumes an error.  

Resolution

Make sure that all users access Cloud SWG via the SP initiated URL i.e. by simply making sure initial request goes to the Cloud Proxy and not the SAML Identity Provider.