On premise Users have been accessing WSS services without issues using Explicit Access method.
Due to Covid restrictions, and users working from home SEP WTR was pushed out to all machines, and users authenticated using a SAML IDP server.
Admin wanted to add blocking policies specifically for these roaming users i.e. any roaming users authenticated with SEP WTR and SAML should be blocked from accessing certain Applications/Categories/URLs. Admin did not want to apply policies to groups because of issues with their SAML IDP server inability to inject the right information into assertion. With UPE, the options seemed to be restricted in terms of roaming user conditions when one cannot use groups.
WSS used to secure internet access
SEP WTR agent running using SAML authentication
Issue exists independent of SAML IDP server
UPE running to define WSS policies
Policies are typically applied at the Group layer, but admin wanted it to be specific to roaming users. With SEP WTR agents using SAML, all roaming users will inject the following highlighted headers into the outbound requests
We tried to create the following UPE policy but it failed to block the page. Turns out that the X-WSS-SAML header is stripped before the policy logic kicks in, and we needed to find another approach.
<proxy> url.domain=playboy.com request.x_header.X-WSS-SAML=".*" exception(content_filter_denied)
Created a CPL layer with the following conditions
condition="BC_Roaming_SAML_auth" condition=Denied_URLs exception(content_filter_denied)
- "BC_Roaming_SAML_auth" condition holds true for any user that successfully authenticates with SEP WTR using SAML
- Denied_URLs is a condition that defines a list of categories, Applications, Domains or URLs admin wants blocked
- exception(content_filter_denied) will return the standard content filter denied error page