Articles in this section

See more

SAML Identity not applied for Secure Web Gateway Traffic

Avatar
Tom Allen
  • Updated
Follow

SAML Identity not applied for ANY web traffic

 

 If the SAML identity is not applied for ANY web traffic, please consult the Umbrella documentation to ensure the setup has been completed correctly.  The following configuration items must be completed.

  • IdP settings configured and tested in 'Deployments > SAML Configuration'
  • List of users/groups provisioned in 'Deployments > Web Users and Groups'
  • SAML must be enabled in the relevant policy* in 'Policies > Web Policies'. 
  • HTTPS Decryption must be enabled in the relevant policy in 'Policies > Web Policies'
 

* Enabling SAML in Web Policies:

SAML and HTTPS Decryption must be enabled in the policy that applies to the relevant Network, Tunnel, or AnyConnect client.  These features apply before a user has been identified, so the important policy is the one applied to the "connection method".

SAML policies should be ordered as follows:

  1. 1) HIGHER Priority - Policy applies to Users/Groups.  This policy decides the content/security settings for the authenticated users.
    2) LOWER Priority - Policy applies to Network/Tunnel/AnyConnect.  This policy has SAML enabled and triggers the initial authentication.
 

 

SAML Identity not applied for specific web traffic

 

 It is important to remember that even in normal circumstances it is not expected for every web request to be associated with a user.  SAML requires that the browser supports cookies and is able to be redirected to our SAML gateway service.  This is not possible in all scenarios.

SAML is not apllied in the following circumstances and the default policy assigned to the Network/Tunnel/AnyConnect identity is used instead:

  • Non-Web browser traffic
  • Web Browsers with cookies disabled or IE Enhanced Security Configuration
  • OCSP/Certificate Revocation checks which do not support cookies
  • JS / CSS files are not subject to SAML authentication.
  • Individual web requests which do not support cookies. In some cases cookies are blocked for individual requests due to the Content Security Policy of the website.  This restriction applies to many popular Content Delivery Networks.
  • When the target domain/category has been bypassed from HTTPS Decryption using an Umbrella Selective Decryption** list.
 

** Selective Decryption Warning:

Selective Decryption should be used sparingly when SAML is enabled.  Bypassing a large number of popular domains/categories from decryption will cause inconsistent policy application.  Only bypass the domains/categories which cannot be decrypted for privacy or compatibility reasons.

 
Due to these restrictions, it is important to configure an appropriate minimum level of access in the relevant Network/Tunnel/AnyConnect policy.  The default policy should allow business critical applications/domains/categories and Content Delivery Networks.

Related articles

Comments

0 comments

Please sign in to leave a comment.