Multi user VDI environment connecting to Cloud SWG with IPSec access method, with SAML authentication enabled using IP surrogates.

The first users connecting into the VDI and browsing internet is challenged for their credentials via SAML IDP server. However, subsequent user connecting to the same VDI are not challenged for SAML authentication.

All users connecting to the VDI are seen as the same user, and policies applied are not working correctly e.g. certain users can access sites that they should not be allowed access.

Multi user VDI environment with SAML authentication and IP surrogates connecting with IPSec access method.

Cloud SWG using IP surrogates on shared machine.

Enable cookie surrogates in the SAML authentication policy.

When any shared device (Citrix, VDI) generates traffic into Cloud SWG, all traffic is seen as coming from the same IP address. With IP surrogates, once the initial user authenticates, the auth table includes the users name and IP address (amongst other things). Any subsequent requests from that IP address are always seen as the same user, until the session has expired. This will negatively impact VDIs with different users sharing the same IP address.

With cookie surrogates, multiple users can all connect from the same IP address and each user would be authenticated, as the source of authentication is a session cookie and not an IP address. Each session cookie is unique to the domain being accessed, and no overlap occurs.

We may run to into CORS-related issues with cookie.
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/identity-matrix/auth-policy.html
https://knowledge.broadcom.com/external/article/173907/difference-between-ip-surrogate-and-cook.html