Microsoft Entra.
AD Connect to synchronise internal AD with Entra.
SAML Authentication.
WSS Agent.
The one major change with 9.7.1 on Windows is support for a single login a day, even when switching networks(see 'session restore' docs). When a user logs in for the first time, it sets a token for that user ... if that user changes network and RECONNECTs, the token is sent to Cloud SWG and assuming it is still valid, the user will NOT be prompted to authenticate via a popup. Without any re-authentication, no updated SAML assertion can be received which would include new groups.
In the past, the popup would appear several times a day as the user switched networks which was frustrating users.
There are a few options: