WSS Content filtering policies fail when UPE controlling what SEP WTR SAML roaming users
search cancel

WSS Content filtering policies fail when UPE controlling what SEP WTR SAML roaming users

book

Article ID: 204007

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

On premise Users have been accessing WSS services without issues using Explicit Access method.

Due to Covid restrictions, and users working from home SEP WTR was pushed out to all machines, and users authenticated using a SAML IDP server.

Admin wanted to add blocking policies specifically for these roaming users i.e. any roaming users authenticated with SEP WTR and SAML should be blocked from accessing certain Applications/Categories/URLs. Admin did not want to apply policies to groups because of issues with their SAML IDP server inability to inject the right information into assertion. With UPE, the options seemed to be restricted in terms of roaming user conditions when one cannot use groups.

Environment

WSS used to secure internet access

SEP WTR agent running using SAML authentication

Issue exists independent of SAML IDP server

UPE running to define WSS policies

Cause

Policies are typically applied at the Group layer, but admin wanted it to be specific to roaming users. With SEP WTR agents using SAML, all roaming users will inject the following highlighted headers into the outbound requests 

We tried to create the following UPE policy but it failed to block the page. Turns out that the X-WSS-SAML header is stripped before the policy logic kicks in, and we needed to find another approach.

<proxy> url.domain=playboy.com request.x_header.X-WSS-SAML=".*" exception(content_filter_denied)

Resolution

Created a CPL layer with the following conditions


<Proxy>

condition="BC_Roaming_SAML_auth" condition=Denied_URLs exception(content_filter_denied)


where

- "BC_Roaming_SAML_auth" condition holds true for any user that successfully authenticates with SEP WTR using SAML
- Denied_URLs is a condition that defines a list of categories, Applications, Domains or URLs admin wants blocked
- exception(content_filter_denied) will return the standard content filter denied error page

Attachments