Web Security Service IdP authentication exemption or full bypass

book

Article ID: 222822

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

When using the Web Security Service, you must bypass the IdP provider login URLs for authentication to succeed. 

A full bypass is recommended to maximize the performance and stability of the authentication process.

Use Cases

  • CORS-related issues
  • To prevent authentication looping with cloud-based IdP servers
  • The source device is not compatible with redirection-based authentication
  • A web application API call is not compatible with redirection-based authentication.
  • The cloud-based IdP server ACL restricting access from some or all the Web Security Service IP addresses.

Resolution

Exempt From Authentication

  1. Navigate to Identity > Authentication Policy.
  2. Expand the Global Exemptions area.
  3. Click Add Auth Exemption. The portal displays the Auth: New Exemption Rule.
  4. Click Add Sources
    WSS Agents
    and Mobile Devices are static objects; selecting them to mean the exemption applies to all connections from each of those access methods.

  5. (Optional) If you need to quickly exempt a source, you can create a new entry from this wizard. For example, you need to immediately exempt a new IP address. 

    • Click IPs/Subnets.
    • Select New > IP/Subnet.
    • Enter a new address (or import a list from a text file).
    • Click Save.
    • Click Add Destinations. Select the destination elements that are exempt from authentication and click Save.
    • Click Add Rule. This creates a new Auth Exemption policy rule.
    • You can add the rule. When satisfied, click Activate.

See Exempt From Authentication for more information.

 

Add Domain to bypass list

  1. Navigate to the Policy > Bypassed Traffic > Bypassed Domains tab.
  2. Click Add. The portal displays a dialogue.
  3. Enter a valid Domain.
  4. (Optional) Enter a Comment.
  5. (Optional) Click the + icon to add another row for another entry.
  6. Click Add Bypass Domain.

See Prevent a Domain From Routing to the Web Security Service for more information.

 

Common IdP domain list

IdP Provider

Domains

Microsoft Azure aadcdn.msftauth.net
Okta op1static.oktacdn.com
okta.com
oktacdn.com
PingID sso.connect.pingidentity.com
login.pingone.com
authenticator.pingone.com
Google G Suite accounts.google.com