There is a specific scenario where there are multiple user sessions on a device. WSS Agent is installed with the "AU=unauthenticated" option already.

With the AU option the tunnel is established and authenticated until the reconnect. So the logoff and logon as different domain user doesn't change the SAML user. To get the proper user, WSS Agent reconnect needs to be forced.

To achieve that with WSS Agent 9.7.1 and older versions, it was enough to add "sc control wssad 161" in the logon script. This command caused reconnect of WSS Agent on each logon, and it also forced SAML reauthentication.

WSS Agent 9.7.1+

With the WSS Agent 9.7.1 reauthentication doesn't happen anymore with the reconnect. This is due to Session Restore feature (https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/identity-matrix/auth-wssa-saml.html) which keeps the record of authenticated user so it prevents multiple SAML logon windows to appear.

To get the SAML prompt in WSS Agent 9.7.1+, the following logon script would need to be configured:

"C:\Program Files\Symantec\WSS Agent\wssad.exe" -p samlLogoutOnNextReconnect=true
sc control wssad 161