Roaming users access internet sites via Cloud SWG using WSS Agent.

On premise users access internet sites via Cloud SWG using WSS Agent.

Velo Cloud Edge used to forward on premise web requests into IPSEC tunnel, but a separate Edge policy is created to forward the WSS Agent tunnel (UDP 443) DIRECT and not into the IPSEC tunnel.

When roaming users come into the office, SAML authentication fails and users cannot access any traffic.

Users do see the Webview popup window but instead of getting the SAML IDP server login page, they see a Cloud SWG block message instead.

Cloud SWG.

Velo Cloud Edge device.

WSS Agent.

SAML authentication.

WSS Agents are NOT passive when on-premise.

SAML IDP server traffic bypasses WSS Agent tunnel and goes out direct, but in this case direct means via the IPSEC tunnel. 

Policy on the Cloud SWG tenant blocks all non authenticated traffic into Cloud SWG and hence the SAML login page is not rendered.

Make sure that an authentication exception and ALLOW rule exists for the SAML IDP server endpoints.

When WSS Agents are ACTIVE on premise, any traffic not going through the WSS Agent tunnel will go via IPSEC tunnel into Cloud SWG and must be allowed through to the OCS.

When WSS Agents are PASSIVE on premise, the authentication policy for the IPSEC (or any) location will handle the credential validation.