Users accessing internet sites via Cloud SWG using WSS Agent.

All users authenticate to an Okta IDP server.

SCIM is used to synchronise Okta users and groups to Cloud SWG.

Users that are members or groups fail with access denied errors when accessing group based policies (synchronised via SCIM) that should allow access.

HAR file shows that users groups are not being sent by Okta Identity provider.

Okta Identity Provider.

WSS Agent.

SAML authentication.

Misconfiguration on the Okta Identity provider.

1. Go to the Okta Dashboard -> Application -> Symantec Web Security Service -> SignOn -> Settings -> edit (populate the group)

2. Go to the Group setting and make sure this is populated. In this example, all the user groups started with ExampleGroup_ e.g ExampleGroup_Sales, ExampleGroup_Support. 

3. Save changes and apply.

4. login to Okta again and use HAR file to confirm that assertion includes the group AttributeStatement with all the groups the user is a member of.

Okta was synchronising groups from the internal AD domains.

HAR file showed that the assertion was sent by Okta, but without any AttributeStatement including the users groups.

Okta would technically be responsible for sending this info - to send the group from Okta, you need to configure the SAML app for WSS at Okta.