Users accessing internal applications via Cloud SWG integrated with ZTNA using WSS Agent.

SAML authentication enabled to 3rd party IDP server without any SCIM interface.

Users are provisioned to the ZTNA Identity provider user store via the SAML attributes sent with assertion.

Most users can access the ZTNA segment application without issues, but a handful cannot; the same users can access non ZTNA applications fine.

Users seeing issues reported authentication versus access related errors.

Cloud SWG.

ZTNA.

Generic SAML user provisioning.

Problem users had moved from one group to another group within the enterprise, where they had a different internal ID but the same email address e.g. a user with ID [email protected] and [email protected] were both created on the IDP server user store with the email attribute of [email protected]. 

When ZTNA processes the assertion and tries to identify the user, the incoming email address from the assertion could not be tied to a single unique user.

Change the IDP server integrated with Cloud SWG (not ZTNA) to send a unique identifier and not the email address shared between two different IDs.

In the above case, we changed the UPN in the Cloud SWG IDP server to the user id (not email address) so ZTNA uses this unique ID not the email address for identifying users and querying the users groups.