Selective Web Isolation uses a proxy to forward certain sites to isolation based on the web category.

Selective Web Isolation

Authentication redirects are needed for some sites. Related sites can share the same authentication resource.

youtube.com may not be isolated by category, and mail.google.com might be isolated by category.

Both use accounts.google.com to authenticate.

If accounts.google.com is not in a category to be isolated, youtube.com, which is also not isolated, will authenticate properly.

If accounts.google.com is isolated, then mail.google.com which is also isolated, will authenticate properly.

Under this circumstance, both will not work.

Go to:
Policy Entities>Rule Advanced Settings>Selective Isolation in Online Service Suites

Enable the option to use the predefined Symantec list for more common sites.

Enable the option to use your own custom list for any custom site, i.e. an internal SAML site.

Apply this advanced setting to a rule that matches the main site that is accessed in Isolation.

Push Settings

This will cause Isolation to hold the redirect internally and process the request for the Isolated site.

Note: The browser will not show redirected URL in the local address bar when this setting is in place.