SAML Identity not applied for ANY web traffic
If the SAML identity is not applied for ANY web traffic, please consult the Umbrella documentation to ensure the setup has been completed correctly. The following configuration items must be completed.
- IdP settings configured and tested in 'Deployments > SAML Configuration'
- List of users/groups provisioned in 'Deployments > Web Users and Groups'
- SAML must be enabled in the relevant policy* in 'Policies > Web Policies'.
- HTTPS Decryption must be enabled in the relevant policy in 'Policies > Web Policies'
SAML Identity not applied for specific web traffic
It is important to remember that even in normal circumstances it is not expected for every web request to be associated with a user. SAML requires that the browser supports cookies and is able to be redirected to our SAML gateway service. This is not possible in all scenarios.
SAML is not apllied in the following circumstances and the default policy assigned to the Network/Tunnel/AnyConnect identity is used instead:
- Non-Web browser traffic
- Web Browsers with cookies disabled or IE Enhanced Security Configuration
- OCSP/Certificate Revocation checks which do not support cookies
- JS / CSS files are not subject to SAML authentication.
- Individual web requests which do not support cookies. In some cases cookies are blocked for individual requests due to the Content Security Policy of the website. This restriction applies to many popular Content Delivery Networks.
- When the target domain/category has been bypassed from HTTPS Decryption using an Umbrella Selective Decryption** list.