How to force IDP traffic into WSS when SAML authentication is enabled with WSS Agent.
search cancel

How to force IDP traffic into WSS when SAML authentication is enabled with WSS Agent.


Article ID: 251649


Updated On:


Cloud Secure Web Gateway - Cloud SWG


When WSS Agent is enabled with SAML authentication, all authentication requests generated by the agent towards the SAML IDP server are sent directly to that IDP host, and not via WSS.

The SAML IDP server destination hosts is NOT in the WSS bypass domain or IP list.

WSS Portal does not provide any option to allow traffic destined for SAML IDP server into WSS.

Corporate policies dictate that all Web traffic, including to SAML IDP server, be sent through WSS for traceability.

Can the WSS Agent be enabled to send the SAML traffic into WSS rather than direct?



WSS Agent.

SAML based authentication.


WSS Agent by default only allows traffic to and into WSS until authentication completes. WSS Agent traffic to SAML IDP domains is sent direct until authentication completes.


Used the Closed Network Support API's to force WSS Agent traffic destined for the SAML IDP server into WSS, overwriting default configuration.

In terms of a practical example: If my SAML IDP server handles requests at, the following changes will be required to address the above problem.

1. Create an API key pair for the 'Agent config management' per the above document.
2. Using the API key credentials, generate an authenticated request to and pass in the SAML IDP domain 

$ curl -vvv -u  $apiuser_name:$api_password '''   -H 'Accept: */*'   -H 'Accept-Language: en-US,en;q=0.9'   -H 'Cache-Control: no-cache'   -H 'Connection: keep-alive'   -H 'Content-Type: application/json'   --data-raw '[""]'

3. Using a WSS Agent build 8.1.2 and greater, run the RECONNECT option

Additional Information

Adding the SAML IDP domain to the tunnel domain endpoint via the closed network support APIs updates the back end configuration for that WSS tenant.

When the WSS Agent next reconnects, it downloads a list of defined domains (from the closed network support settings) that are forced to go into WSS tunnel even though the authentication is not complete. 

Symdiag's can be taken where the in-tunnel PCAP may be extracted to validate the traffic flows via this interface and not the public interface.

HTTP Access logs for the WSS tenant can also confirm the SAML IDP traffic flows through WSS.