Users access internet via Cloud SWG using IPSEC and WSS Agents.

Users authenticate to Microsoft Azure using SAML before accessing any resource.

When Admin creates a policy in Cloud SWG (for example, denying a connection to a site based on a group in Azure), any changes made to the Azure group (adding or removing users) or modifications to the Cloud SWG policy (adding or removing URLs) do not take effect after installing the policy.

After reconnecting to the WSS client, the client receives the updated policy changes but with IPSEC users, no reconnect options exists.

IPSEC authentication policy using IP surrogates with SAML.

SAML.

Cloud SWG.

Updates groups will only become visible when the SAML Identity Provider generates a new assertion with the latest group information.

When the users session is active within Cloud SWG, the CLoud Proxy has no reason to go back and request a new assertion.

The changes are only applied when the user session expires and the credentials need to be revalidated, which can take time with IPSEC depending on the authentication policy timeout.

The easiest option though is to force a logout of the session on the client workstation using the following URL:

https://notify.threatpulse.net/logout

Although no reconnect option exists with IPSEC, if we change the users local IP address we could also force a re-authentication to the Identity provider.