Users accessing internet sites via Cloud SWG using IPSEC and WSS agent access methods.

WSS Agent users retrieve group information using Auth Connector but goal is to move to SAML based authentication and remove the auth connector.

SAML federation enabled on Cloud SWG where IPSEC users can authenticate successfully.

WSS Agent installed on hosts with AU=unauthenticated to enabled SAML gradual rollout but users are not redirected to the SAML IDP server to login. Instead they remain with local logins.

Issue seen with WSS Agents on both macOS and Windows.

WSS Agent.

SAML gradual rollout process enabled.

Cloud SWG managed using UPE policies.

pod.threatpulse.com bypassed from authentication in Cloud SWG policy.

Remove pod.threatpulse.com from the auth bypass list.

Policy included auth bypass condition which was removed to solve the problem:

define url.domain condition "BC_Auth_Bypass_Custom_auth_bypass_UrlList_14196201_Auth_bypassed_destinations_domains"
:
   'pod.threatpulse.com'
:

As per the WSS Agent SAML docs, pod.threatpulse.com is heavily used in the SAML authentication process. WHen a request comes in for this domain, from an agent, it will typically trigger a 307 HTTP redirect to saml.threatpulse.net:8443. 

In non working case, the HTTP response code was  200 OK and the SAML authentication process would not complete.

Symdiag PCAPs showed the 200 error returned, as did HAR files, with no redirects.