Missing logged in user "group of interest" when authenticating users via SAML in Cloud SWG with Management Center VPM set Universal Policy Enforcement (UPE)
Article ID: 398189
Updated On:
Products
Issue/Introduction
Cloud SWG successfully logged in user via SAML is missing some, or all, "group of interest". SWG policy and, for example Agent Traffic Manager ZTNA group based rules are not matching causing the user requests to be wrongly handled.
Resolution
In the Cloud SWG UPE policy linked SWG add a new generic "saml_realm" (use this precise name) realm going to Edge SWG "Configuration -> Authentication - > Realms and Domains" "Add Realm":
In the VPM add a new Web Authentication layer to authenticate the requests thanks to the newly created SAML realm, example:
For the Cloud SWG to assign (IdP Azure AD) group of interest security group, example "ZTNA_SysInfo_Viewer":
To the proxy authenticated user transaction, a matching (even with no action) rule for the group has to be present.- Please add such rules in the Web Access Layer, example for the "ZTNA_SysInfo_Viewer" group:
******************* ******************* ******************* ******************* *******************
To test the new setup, the user can force a re-authentication via SAML going to "https://notify.threatpulse.net/logout" or restart the client machine
To confirm the group assignment to the user and transaction: in Cloud SWG access logs check the tested request if/and which group(s) was (were) assigned, example:
Additional Information
The above VPM web access layer rules can be replaced by the following CPL, example with many other user groups:
-
#if enforcement=wss
define condition myAzureAD_Groups
realm=saml_realm group="All_Company"
realm=saml_realm group="Administrator"
realm=saml_realm group="ZTNA_symcdemos.local_Segment_APP"
realm=saml_realm group="ZTNA_SysInfo_Viewer"
realm=saml_realm group="Support"
endcondition=myAzureAD_Groups
#endif
Installed in a new VPM CPL layer created at the bottom of the layers stack
Feedback
