WSS Content filtering policies fail when UPE controlling what SEP WTR SAML roaming users
search cancel

WSS Content filtering policies fail when UPE controlling what SEP WTR SAML roaming users


Article ID: 204007


Updated On:


Cloud Secure Web Gateway - Cloud SWG


On premise Users have been accessing WSS services without issues using Explicit Access method.

Due to Covid restrictions, and users working from home SEP WTR was pushed out to all machines, and users authenticated using a SAML IDP server.

Admin wanted to add blocking policies specifically for these roaming users i.e. any roaming users authenticated with SEP WTR and SAML should be blocked from accessing certain Applications/Categories/URLs. Admin did not want to apply policies to groups because of issues with their SAML IDP server inability to inject the right information into assertion. With UPE, the options seemed to be restricted in terms of roaming user conditions when one cannot use groups.


WSS used to secure internet access

SEP WTR agent running using SAML authentication

Issue exists independent of SAML IDP server

UPE running to define WSS policies


Policies are typically applied at the Group layer, but admin wanted it to be specific to roaming users. With SEP WTR agents using SAML, all roaming users will inject the following highlighted headers into the outbound requests 

We tried to create the following UPE policy but it failed to block the page. Turns out that the X-WSS-SAML header is stripped before the policy logic kicks in, and we needed to find another approach.

<proxy> request.x_header.X-WSS-SAML=".*" exception(content_filter_denied)


Created a CPL layer with the following conditions


condition="BC_Roaming_SAML_auth" condition=Denied_URLs exception(content_filter_denied)


- "BC_Roaming_SAML_auth" condition holds true for any user that successfully authenticates with SEP WTR using SAML
- Denied_URLs is a condition that defines a list of categories, Applications, Domains or URLs admin wants blocked
- exception(content_filter_denied) will return the standard content filter denied error page