Users access internet sites via Cloud SWG using WSS Agent on macOS.

SAML authentication enabled via SAML Identity Provider.

Some users connect their WSS Agents and get a popup screen without any IDP login page details - the page is blank (with white or black background based on settings).

Changing the WSS Agent SAML authentication settings to ephemeral/non ephemeral makes no difference.

macOS.

WSS Agent.

SAML.

macOS advanced tracking.

Safari advanced tracking enabled setting up an iCloud private relay, where WSS Agent cannot intercept any requests needed for SAML authentication (DNS, pod.threatpulse.com/saml.threatpulse.net).

Disable Safari intelligent tracking prevention under advanced settings

• Safari > Settings… (⌘,) and click on the Privacy tab and
• Click Advanced Settings for a few more options.
• In the Privacy section, disable “Use advanced tracking and fingerprinting protection” to in all browsing. 

MDM profiles can be created to automate this change to all macOS devices.

Other non authentication related issues can also occur with private relays and additional recommendations have been made available.