Users are accessing sites via Cloud SWG using the IPsec and WSS Agent (WSSA) access methods.

WSS Agent users retrieve group information using Auth Connector, but goal is to move to SAML authentication and remove the Auth Connector.

SAML authentication is enabled on Cloud SWG for IPsec users.

WSSA is installed on hosts with the "AU=unauthenticated" switch to enable the SAML gradual rollout feature, but users are not being redirected to the SAML IDP server to login. Instead they remain with local logins.

Issue seen with WSS Agents on both macOS and Windows.

WSS Agent.

SAML "gradual rollout" process is enabled (using the "AU=unauthenticated" WSSA install switch).

Cloud SWG managed using UPE policies.

pod.threatpulse.com was bypassed from authentication.

Remove "pod.threatpulse.com" from the Auth Bypass list.

Policy included an auth bypass condition which was removed to solve the problem: 

define url.domain condition "BC_Auth_Bypass_Custom_auth_bypass_UrlList_xxxx_Auth_bypassed_destinations_domains"
:
   'pod.threatpulse.com'
:

As per the WSS Agent docs for SAML Support for Agents, pod.threatpulse.com is heavily used in the SAML authentication process.

When a request comes in for this domain, it will trigger a 307 HTTP redirect to: saml.threatpulse.net:8443

In the non-working case, the HTTP response code was "200 OK" (not "307") and the SAML authentication process would not complete.

SymDiag PCAP's showed the "200 OK" returned (as did .HAR files), with no redirects.