Chrome (and Firefox, but not Edge) appear to be stuck at login.microsoft when SAML authentication to Azure is enabled with IPSEC access method.
search cancel

Chrome (and Firefox, but not Edge) appear to be stuck at login.microsoft when SAML authentication to Azure is enabled with IPSEC access method.

book

Article ID: 279137

calendar_today

Updated On: 02-12-2024

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet via Cloud SWG using IPSEC access method with PAC file pointing to 199.19.250.205.

SAML authentication enabled (IP surrogates) via Azure IDP server.

Edge users can access any resource via Cloud SWG after successfully authenticating to Azure IDP server.

Users using Chrome (and Firefox too) will not browse and appear to be stuck at login.microsoft in the address bar with a blank page displayed; it looks a little like the auth loop we were seeing before.  

If the same user brings up Edge and browses, everything works fine thereafter with Chrome/Firefox too. The session lifetime is 12 hours so the issue is not seen again until following morning.  

Environment

Cloud SWG.

Trans Proxy access method.

Azure SAML Identity Provider.

UPE managed configuration.

Cause

Redirect loop triggered by requiring authentication for some login endpoints that seem to be used by Chrome/Firefox and not Edge.

Resolution

Add an authentication bypass for the following domains:

aadcdn.msauth.net 
aadcdn.msftauth.net 

 

Additional Information

During the auth process, user is redirected to login.microsoftonline.com (via saml.threatpulse.net as expected). However, when using Chrome/Firefox, this endpoint sends back a HTTP response referencing objects in the aadcdn.msauth.net and aadcdn.msftauth.net domains.

When generating requests for either of these two domains, we see that we are redirected back to the Cloud SWG SAML SP at saml.threatpulse.net instead of forwarding to the OCS itself.

 

 

Looking at the tenant policy, we see that we disable auth for the 3 highlighted domains recommended by Microsoft when logging into Azure – but we need to add the two (highlighted in green) domains above to address this issue.
 
// policy details
 
condition=O365_login_url policy.BC_UPE_enable_auth_bypass ; Rule 25 ; O365 Tenant restriction ; Gestures transformed ; authenticate(no) -> policy.BC_UPE_enable_auth_bypass
 
define condition __CondList1O365_login_url
url.domain="login.microsoft.com"
url.domain="login.microsoftonline.com"
url.domain="login.windows.net"

url.domain="aadcdn.msauth.net"
url.domain="aadcdn.msftauth.net"


end condition __CondList1O365_login_url

Powered by Wolken Software