WSS Agent users unable to access ZTNA Segment Application when integrated with Cloud SWG
Article ID: 258977
Updated On:
Products
Issue/Introduction
Cloud SWG Integrated with Azure SAML IDP server.
ZTNA default Identity Provider configuration also set to the same Azure IDP server.
Admin configured ZTNA Segment Application allowing all UDP/TCP port access to a defined internal subnet.
When users try and access any Application e.on internal subnet g. RDP server using the WSS Agent connectivity errors are reported.
The same ZTNA Applications are accessible using the ZTNA Portal, so no connectivity issues with ZTNA environment.
Environment
ZTNA with segment based Applications.
Cloud SWG.
WSS Agent.
Cause
Cloud SWG identifying user based on machine user, when SAML based authentication is required.
Resolution
Enable WSS Agent policy to have SAML enabled.
Cloud SWG Admin had the default authentication policy enabled for the agents as shown below, which is not SAML. As soon as we enabled the Portal, and used SAML, all worked fine.
Additional Information
WSS Agent users did have authenticated sessions to Cloud SWG, but when the SAC integration kicked in and requests were sent upstream from Cloud SWG into SAC, they were transparently dropped as SAC could not identify a matching user.
Although the Cloud SWG and SAC SAML IdP servers do not have to be the same, the name identifier returned for both must include the same value.
Feedback
