Cloud SWG SAML auth - nested group behavior with Azure IdP
search cancel

Cloud SWG SAML auth - nested group behavior with Azure IdP

book

Article ID: 403886

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Cloud SWG is integrated with Azure IdP for SAML authentication.

Cloud SWG content filter policy is configured to block example.com site for security group name GroupA.
user1 is direct member of GroupB.
GroupB is a member of GroupA.

Expected result as per customer: For user1 example.com site should be blocked.

Actual result: For user1 example.com site was not blocked. 

Environment

Cloud SWG

SAML auth with Azure IdP

Cause

Azure IdP application was configured to restrict the group claims to groups that are assigned to the application.

Azure behavior w.r.t. nested groups:

  • If a user is a member of GroupB, and GroupB is a member of GroupA, then the group claims for the user will contain both GroupA and GroupB.
  • Group claims in tokens include nested groups, except when you're using the option to restrict the group claims to groups that are assigned to the application.

Reference links: Configure group claims for applications by using Microsoft Entra ID

Resolution

Make sure that user is direct member of that group (i.e. in this case GroupA which is referenced in policy) when group claim is configured with groups that are assigned to the application.

Powered by Wolken Software