SAC enabled with Symantec WSS integration.
SAC segment application configured for Web server IP address.
Users running WSS Agent can connect to Cloud SWG, authenticate with SAML, but cannot reach the Web server via IP address or DNS.
Users get standard browser connectivity error when access SAC segment App.
SAC logs reporting following warning: Username masked for privacy reasons.
"'[email protected]' failed accessing segment application 'WSS-Segment-App-Name'. Authorization for username 'xxxx@yyyy' failed. access denied: request for application access is not authorized"
Cloud SWG integrated with SAC.
SAC and Cloud SWG pointing to the same SAML IDP server.
WSS Agent used to connect to Cloud SWG.
No matching entity/user assigned to the SAC segment application.
Assign the correct entity to the policy assigned to the SAC segment application.
In our case above, the user was logging in to Cloud SWG as [email protected] when this user was NOT an assigned entity on the Application assigned policy.
Adding the correct user as an assigned entity fixed the problem.
WSS Agent Symdiag did show that the requests were coming into Cloud SWG correctly via the tunnel interface.
SAC logs reported errors for the segment application as shown below: