Cloud SWG administrators want to login via an Azure SAML IDP server rather than local login.
After making the appropriate configuration changes (on Azure and Cloud SWG side), admins were correctly redirected to Azure IDP server to login.
After logging into Azure, the admin is redirected to Cloud SWG where the following 400 error with GENERAL_NONSUCCESS error code is returned instead of the Portal landing page:
Azure SAML IDP server used to SSO into Cloud SWG Portal.
Incorrect SAML attributes sent with assertion generated by Azure.
Make sure that the Azure IDP server sends the "Email" attribute name (case sensitive!) with the matching Cloud SWG administrator email address as the attribute value.
Within Azure, you need to go to the SAML Application setup for the Cloud SWG Portal, select the "Single Sign On" panel and Edit the "Attribute and Names" claims to include the Email attribute name, with the users email address as the value per the screenshot below:
By default, Azure sends a number of claims/attributes with assertions and most of these are unnecessary to include with an assertion. What Cloud SWG expects is the following attributes:
Each attribute is case sensitive; technically the login will work fine without the FirstName and LastName attributes too, but these allow the Cloud SWG Portal to render the users name in the top right hand corner when included.