The customer federates their Microsoft Office 365 with their on-premise ADFS server and requires seamless on-premise Kerberos authentication for their users. However, they are encountering two conflicting behaviors depending on their Web Isolation configuration:

1. Lack of Seamless SSO: When the ADFS SSO domain is included in the customized suite URLs for Selective Isolation in Online Service Suites, the entire flow stays isolated. While users can log in successfully, the gateway accesses the ADFS server externally, bypassing local Kerberos auth. Users are forced to manually enter credentials and complete MFA.

2. Authentication Loop: When the ADFS SSO domain is removed from the Selective Isolation customized list (allowing the flow to leave isolation for local Kerberos authentication), users experience an infinite authentication loop and cannot log in.

• Broadcom Symantec Cloud Web Isolation
  
  
• Selective Isolation in Online Service Suites enabled
  
  
• Microsoft Office 365 federated with an on-premise ADFS server

This issue occurs due to a technical limitation involving cookies between the local (left-side) browser and the isolated (right-side) browser when login.microsoftonline.com is bypassed from Isolation downstream.

When the ADFS SSO domain is removed from the Selective Isolation list:

1. Local Kerberos authentication completes successfully on the left-side browser.

2. A SAML assertion is posted to login.microsoftonline.com, and the authentication cookies are stored locally in the left-side browser.

3. The user is redirected back to the original Microsoft Application URL within Isolation.

4. The Selective Isolation feature forces login.microsoftonline.com into the right-side browser. Because the right-side browser does not have access to the cookies stored on the left side, the authorization request fails.

5. The user is redirected back to the login page, creating an infinite loop.

To resolve this issue and maintain seamless Kerberos authentication, you must disable the Selective Isolation feature specifically for the target Microsoft application domain. This ensures the authentication flow is handled consistently without triggering the cookie mismatch.

Follow these steps to configure the necessary policy rule:

Step 1: Verify or Create a "No Selective Isolation" Advanced Setting

1. Navigate to Policy Entities > Rule Advanced Settings in the Management Console.

2. Check if there is already a rule profile where Selective Isolation in Online Service Suites is fully disabled.

3. If this rule is not present, create a new one (e.g., name it No_Selective_Isolation). Ensure that all options under the Selective Isolation in Online Service Suites section are completely disabled, then save the profile.

Step 2: Create a Prioritized Policy Rule for the Target Microsoft Application

1. Navigate to Policies > My Policy.

2. Create a new policy rule and move it to the top of the rules stack so it takes precedence over existing routing rules.

3. Configure the new rule with the following parameters:

   • Destination: The specific Microsoft application domain using the SSO (e.g., *.entra.microsoft.com)

   • Action: Isolate

   • Advanced Settings (located at the bottom of the configuration): Select the No_Selective_Isolation rule profile verified or created in Step 1.

By applying this specific isolation rule at the top of the stack, the authentication handoff for the target application is forced into a unified browser context, allowing users to log in seamlessly with Kerberos.