When the WSS Agent (WSSA) is enabled to use SAML authentication, all authentication requests generated by the agent towards the SAML IDP server are sent directly to that IDP host, and not via the Cloud SWG (formerly "WSS") servers.

The SAML IDP server destination host is NOT in the WSSA bypass domains or IPs lists.

Corporate policies dictate that all web traffic, including to SAML IDP servers, be sent through CloudSWG for traceability.

Can the WSS Agent be enabled to send the SAML traffic into Cloud SWG (rather than direct)?

The WSS Agent, by default, only allows traffic to pod.threatpulse.com and saml.threatpulse.net into Cloud SWG until authentication completes.

WSS Agent traffic to SAML IDP domains is sent direct until authentication completes.

Used the Closed Network Support API's to force WSS Agent traffic destined for the SAML IDP server into WSS, overwriting default configuration.

EXAMPLE: If my SAML IDP server handles requests at bcom.okta.com, the following changes will be required to address the above problem: 

1. Create an API key pair for the "Agent config management" per the above document

2. Using the API key credentials, generate an authenticated request to https://portal.threatpulse.com/api/rest/tunnel/domains and pass in the SAML IDP domain: 

$ curl -vvv -u  $apiuser_name:$api_password ''https://portal.threatpulse.com/api/rest/tunnel/domains?action=update'   -H 'Accept: */*'   -H 'Accept-Language: en-US,en;q=0.9'   -H 'Cache-Control: no-cache'   -H 'Connection: keep-alive'   -H 'Content-Type: application/json'   --data-raw '["okta.com"]'

3. Using WSS Agent version 8.1.2 (or later), click the RECONNECT option in the WSSA client

Adding the SAML IDP domain to the tunnel domain endpoint via the closed network support APIs updates the back-end configuration for that tenant.

When the WSS Agent next reconnects, it downloads a list of defined domains (from the closed network support settings) that are forced to go into WSSA tunnel (even though the authentication is not complete). 

A SymDiag can be taken where the in-tunnel PCAP may be extracted to validate the traffic flows via this interface (and not into the public interface).

HTTP access logs for the tenant can also confirm the SAML IDP traffic flows through Cloud SWG via WSSA.