Articles in this section

See more

SAML Identity not applied for Secure Web Gateway Traffic

Avatar
Tom Allen
  • Updated
Follow

 

SAML Identity not applied for ANY web traffic

 

 If the SAML identity is not applied for ANY web traffic, please consult the Umbrella documentation to ensure the setup has been completed correctly.  The following configuration items must be completed.

  • IdP settings configured and tested in 'Deployments > SAML Configuration'
  • List of users/groups provisioned in 'Deployments > Web Users and Groups'
  • SAML must be enabled in the relevant policy* in 'Policies > Web Policies'. 
  • HTTPS Decryption must be enabled in the relevant policy in 'Policies > Web Policies'
 

* Enabling SAML in Web Policies:

SAML and HTTPS Decryption must be enabled in the policy that applies to the relevant Network or Tunnel identity.  These features apply before a user has been identified, so the important policy is the one applied to the "connection method".

SAML policies should be ordered as follows:

  1. 1) HIGHER Priority - Policy applies to Users/Groups.  This policy decides the content/security settings for the authenticated users.
    2) LOWER Priority - Policy applies to Network/Tunnel.  This policy has SAML enabled and triggers the initial authentication.
 

 

SAML Identity not applied for specific web traffic

 

 

IP Surrogates

To improve consistency of user identification we recommend to enable the new IP Surrogates feature.  This feature is enabled automatically for all new Umbrella SAML customers but will need to be manually enabled for existing Umbrella customers.

IP surrogates uses a cache of Internal IP > Username information which means SAML identification can be applied to all types of requests: even non-web browser traffic, traffic which does not support cookies, and traffic not subject to SSL Decryption.

Please note that IP surrogates has the following requirements:

  • Internal IP visibility must be provided by using an Umbrella Network Tunnel or Proxy-Chain deployment and X-Forwarded-For headers.  This does not work with Umbrella's hosted PAC file
  • IP surrogates cannot be used in shared IP address scenarios (Terminal Servers, Fast User Switching)
  • Cookies must be enabled in the browser.  Cookies are still required for the initial authentication.

 

 

SAML (IP Surrogates Disabled)

With IP surrogates disabled, cookie support is required for every request in order to track the user.  Unfortunately this means it is not expected for every web request to be associated with a user.  SAML requires that the browser supports cookies and is able to be redirected to our SAML gateway service.  

SAML is not applied in the following circumstances and the default policy assigned to the Network/Tunnel identity is used instead:

  • Non-Web browser traffic
  • Web Browsers with cookies disabled or IE Enhanced Security Configuration
  • OCSP/Certificate Revocation checks which do not support cookies
  • Individual web requests which do not support cookies. In some cases cookies are blocked for individual requests due to the Content Security Policy of the website.  This restriction applies to many popular Content Delivery Networks.
  • When the target domain/category has been bypassed from HTTPS Decryption using an Umbrella Selective Decryption** list.
 

** Selective Decryption Warning:

Selective Decryption should be used sparingly when SAML is enabled.  Bypassing a large number of popular domains/categories from decryption will cause inconsistent policy application.  Only bypass the domains/categories which cannot be decrypted for privacy or compatibility reasons.

 
Due to these restrictions, it is important to configure an appropriate minimum level of access in the relevant Network/Tunnel policy.  The default policy should allow business critical applications/domains/categories and Content Delivery Networks.  Alternatively, use IP Surrogates.

Related articles

Comments

0 comments

Please sign in to leave a comment.