Websites or applications fail to complete SAML authentication

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

SAML authentication is enabled under your Cloud SWG (WSS) account.

Some websites or applications cannot complete SAML authentication causing various types of errors.

Note: This article is only relevant to an Explicit Proxy connection method using cookie surrogate.

Environment

Cloud SWG

SAML

Explicit Proxy with cookie surrogate

Cause

Cloud SWG uses a "surrogate" value, a cookie on the browser, to reduce the authentication process on every HTTP connection.

Once a user is successfully authenticated with Cloud SWG, a cookie surrogate is provided (Explicit Proxy access method).

Cookie surrogates are valid for the time defined in the Cloud SWG portal. The default is the lifetime of the browser session or 24 hours, whichever comes first. To apply the cookie to the domain, Cloud SWG must be able to redirect the client.

After the surrogate expires, the user must complete a full authentication sequence to revalidate the user.

The authentication process is not always successful. Reasons include, but are not limited to, issues where the client does not:

Respect an HTTP/307 redirect.
Support saving or presenting session-based cookies (such as those for effective TLDs, or sites that implement Cross-Origin Resource Sharing).
Support challenge-based authentication (HTTP 401).
Parse JavaScript/POST requests (to send the SAML assertion to saml.threatpulse.net).

Resolution

To mitigate this issue, Cloud SWG only redirects a user for SAML authentication if the request came from a Mozilla or Mozilla-compatible browser (e.g. Internet Explorer, Firefox, etc.).

Symantec has noted that several clients spoof the User Agent, yet clients are still unable to comply with the required redirect and cookie setting.

Bypassed domains

Symantec has listed some specific User Agents and URLs of known User Agents, and destinations that fail SAML authentication.

Domain/URL	Comment
officeimg.vo.msecnd.net	Microsoft office help documentation does not support SAML redirect or cookies.
office.microsoft.com	Microsoft office help documentation does not support SAML redirect or cookies.
open.bbci.co.uk	Sports results from the BBC homepage have issues with AJAX query and the SAML redirect response.
code.jquery.com	Microsoft Visual Studio external requests.
ajax.googleapis.com	Microsoft Visual Studio external requests.
cdnjs.cloudflare.com	Microsoft Visual Studio external requests.
adobe.com	Adobe updater and installer do not expect SAML authentication.
w3.airbusdoc.com	Airbus support portal. Loading external content fails with SAML enabled.
activate.netsupportsoftware.com	Netsupport activation and registration URL. Activation fails with SAML enabled.
clientconfig.microsoftonline-p	Required for MS Lync activation after the first installation.
cloudfront.net	Effective TLD (cannot set a domain-wide cookie for sub-domains).
blogspot.com	Effective TLD (cannot set a domain-wide cookie for sub-domains).
blogspot.co.uk	Effective TLD (cannot set a domain-wide cookie for sub-domains).
dilbert.com	Embedded images (hot linked) do not follow the SAML redirect.
geo.kaspersky.com	Kaspersky Anti-Virus updates.
ftp.dell.com/Published/Data	Dell System Analysis Software.
googleapis.com	Effective TLD (cannot set a domain-wide cookie for sub-domains).
githubusercontent.com	Effective TLD (cannot set a domain-wide cookie for sub-domains).
fastly.net	Effective TLD (cannot set a domain-wide cookie for sub-domains).
mt0.google.com	JSON requests from the browser embedded Google maps application fails to present the SAML session cookie. This results in a redirect loop and failure to load the map.
googleusercontent.com	Google Chrome Web Store - not following redirects to SAML SP.
hp5.a.woopic.com	Browser does not provide SAML cookie for TTF and WOOF (Icon files) loaded through CSS.
c64.assets-yammer.com	Browser does not POST the assertion to this domain.
layout.eurosport.com	Browser does not provide SAML cookie for TTF and WOOF (Icon files) loaded through CSS.
www.google.com/maps/vt	XML query for map data - not providing SAML cookie within Google Maps preventing map data from loading.
googleusercontent.com	Chrome Webstore - browser not providing SAML cookie for some content.
ggpht.com	Google Street View not providing SAML cookie in some transactions to this domain.
fbstatic-a.akamaihd.net/rsrc.php	CSS required as part of Facebook log-in, not providing SAML session cookie.
cdn-files.deezer.com	Icon files failing to load (now resolved as part of the below policy).
capen.daveslab.co.uk	Content Security Policy not providing SAML cookie. Required for prizes.rednoseday.com.
payments.daveslab.co.uk	Precautionary, to allow payments to process for charity website prizes.rednoseday.com.
khms0.google.com	Google satellite view. Browser not providing SAML session cookie for this domain.
khms1.google.com	Google satellite view. Browser not providing SAML session cookie for this domain.
khms2.google.com	Google satellite view. Browser not providing SAML session cookie for this domain.
khms3.google.com	Google satellite view. Browser not providing SAML session cookie for this domain.
www.heroku.com	Effective TLD (cannot set a domain-wide cookie for sub-domains).
herokuapp.com	Effective TLD (cannot set a domain-wide cookie for sub-domains).
api.mongolab.com	Content-Security-Policy (Cross-Origin Resource Sharing) - prevents the SAML authentication cookie from being set.
fpdownload2.macromedia.com	Macromedia Flash updates get stuck in an authentication loop.
amazonaws.com	Subdomain Effective TLDs.
amazonaws.cn	Subdomain Effective TLDs.
intropdf.com	The PDF reader fails to send a SAML assertion to the SP after authenticating to the IDP.
tile.openstreetmap.org	OCS uses CORS.
www.google.com/recaptcha/api	IDaaS IDP uses these resources for IDP authentication.
www.google.com/js	IDaaS IDP uses these resources for IDP authentication.
install.nitropdf.com	NitroPDF is a third-party PDF reader and does not follow the redirect back to the SP after IDP authentication.
officeapps.live.com	Required for inserting images into Office Outlook 2013.
apps.skype.com	Required for Skype.
mm.bing.net	Attaching images to Outlook emails fails when SAML is enabled.
r1.res.office365.com	Viewing Action items in Outlook emails failed with SAML enabled.
www.google.com/_/chrome/	Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".
www.google.co.uk/_/chrome/	Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".
www.google.fr/_/chrome/	Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".
www.google.be/_/chrome/	Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".
www.google.nl/_/chrome/	Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".
assets-yammer.com	Browser does not POST the assertion to this domain.
pack.google.com	Google spellchecker fails to complete SAML transaction.
seb.se	Effective TLD (cannot set a domain-wide cookie for sub-domains).
mappy.net	Map objects don't follow the redirect to validate SAML cookie.
tile.openstreetmap.org	Map objects don't follow the redirect to validate SAML cookie.
openlayers.org	Also used by openstreetmap. Objects don't follow the redirect to validate SAML cookie.
vocollectacademy.com	Unable to load PPT files for training content.
application5.globaleservice.com	Customer-specific request.
msecnd.net	Content delivery network
akadns.net	Akamai content
iecvlist.microsoft.com	Microsoft updates
ie9cvlist.ie.microsoft.com	Microsoft updates
rssinclude.com	RSS feeds
gstatic.com	Google static content
c.microsoft.com	Microsoft updates
blob.core.windows.net	SAML transaction incomplete
optimize.webtrends.com	SAML transaction incomplete
windowsupdate.com	Windows update fails to complete SAML transaction
brunswick.streaming.mediaservices.windows.net	SAML transaction incomplete
amp.azure.net	SAML transaction incomplete
supermapcloud.com	SAML transaction incomplete
gb.symcd.com	SAML transaction incomplete
maps.google.com/maps/api	Google Maps API not completing SAML
ccu.viamichelin.com	SAML Assertion are not posted to IDP
cloudapp.net	Effective TLD
laskurit.net	Embedded images fail to parse the SAML redirect when they are the first HTTP request
captive.apple.com	Captive portal detection from Apple devices
www.msftncsi.com	Microsofts Network Connection Status Indicator doesn't complete SAML transaction.
epaper.paris-normandie.fr	Does not send SAML cookie
mail-attachment.googleusercontent.com	Does not send SAML cookie
kmapi.dotmobil.com	Does not send SAML cookie
milibris.com	Does not send SAML cookie

Bypassed agents

The following User Agents, Headers, and File Extensions are also known to fail SAML authentication. This list can be used as a basis for crafting your own lists.

Note: For privacy reasons, this list does not contain some customer-specific domains or User-Agents.

User-Agents, if it contains:

MSOffice: Viewing images inside Microsoft Outlook fails with SAML enabled.
ms-office: Clicking links inside office applications (for example, Microsoft Excel).
Google Earth: Prevents Google Earth from crashing during an attempt to perform SAML authentication.

Other headers:

X-OfApp: WINWORD
X-OfVer: 15
X-OfApp: OUTLOOK
X-OfVer: 14

File extensions:

.WOFF: Browser embedded Content-Security-Policy prevents the browsers from following redirects to the SAML authentication IDP/SP.
.WOFF2: Browser embedded Content-Security-Policy prevents the browsers from following redirects to the SAML authentication IDP/SP.
.TTF: Browser embedded Content-Security-Policy prevents the browsers from following redirects to the SAML authentication IDP/SP.

Caution: With the addition of the Symantec Authentication Policy controls, Symantec no longer proactively maintains this list. Refer to Exempt From Authentication for further information on how to bypass domains from authentication.