User/group synchronised from Microsoft Entra Identity Provider using SCIM getting blocked messages accessing web sites
Article ID: 247156
Updated On:
Products
Issue/Introduction
User and group information from the Azure AD synchronised to Cloud SWG using SCIM.
Content filtering policies setup to allow users/groups access to Web resources.
Both user and group based rules are failing as both users and groups that are explicitly defined in the policies to be allowed to access sites do not match.
Environment
Microsoft Entra SAML IDP server.
SCIM used to sync users with Cloud SWG.
Cause
Mismatch between SCIM provisioned user information and Name Identifier information within SAML Assertion.
Resolution
Need to make sure that the
- SAML Assertion Name Identifier matches the format the users are provisioned into Cloud SWG with via SCIM. In our example above, the users were provisioned into Cloud SWG (Web Security Service -> Identity/Users & Groups -> Third-Party Users & Groups Sync) with email addresses but the SAML assertion included the users name as per the following configuration and not email address:
Changing this to send the email address fixed the issue:
2. The group attribute name defined in Cloud SWG MUST match that sent with the Assertion group information: From the customers environment, the SAML group defined in the Cloud SWG Portal was set to the default 'group' value yet when looking at the assertion returned by Entra Identity Provider, it shows the group is sent but the attribute name is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/group (standard for Azure)
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/group">
<AttributeValue>CloudSWG_Example_Users_Group</AttributeValue>
</Attribute>
Changing the Cloud SWG SAML group attribute name to 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/group' triggered a match and group policies worked.
Feedback
