Users access internet sites via Cloud SWG using WSS Agent access method.

WSS Agent users authenticating with SAML via Azure SAML Identity provider.

Cloud SWG admin noticed that Azure traffic bypassed from going through Cloud SWG (default setup when configuring SAML via Portal).

Concerns were raised as Cloud SWG integrated with CASB where the the requirement was to enable O365 gatelet.

By adding login.microsoftonline.com domain to the Agent Traffic Manager 'Always intercept' rules, users could no longer authenticate when the Agent was reconnected - the Webview blank page would appear with the following 'page load' error:

Can we bypass authentication for the WSS Agent process, but not for other communication?

WSS Agent.

Agent Traffic Manager 'always intercept' rules configured.

SAML Authentication required to Azure.

UPE Managed Cloud SWG tenant.

A Cloud SWG authentication bypass rule is required for the login.microsoftonline.com domain in order for SAML to complete successfully. This however will break the O365 CASB gateway as this requires an authenticated user.

If any Cloud SWG services require an authenticated user for the SAML IDP server single sign on endpoint, advanced policy is required to differentiate the WSS Agent login requests from the post login requests. The following CPL can do the trick:

define condition Agent_Auth_Azure
request.x_header.sec-ch-ua.substring="Microsoft Edge WebView2" request.header.referer.url.domain=saml.threatpulse.net
end condition

<proxy>
condition=Agent_Auth_Azure authenticate(no) variable.custom_var_bool_1(true)

<forward>
is_set.variable.custom_var_bool_1=yes forward(no)

A HAR file obtained during any SAML authentication shows that initial requests into the Azure IDP server from Webview during the authentication stage includes certain HTTP headers that can use to build the above policy. Only when these headers are available will the proxy bypass authentication and allow a successful login. Any subsequent requests e.g. to CASB, will not include the headers and will require that authentication complete so that a valid user is sent upstream to CASB.