Previously, SAML only supported cookie surrogate after the user authenticated with their identity provider (IDP) and a cookie was set on the user’s browser. Subsequent requests from the same browser would be attributed to the same user based on the cookie being visible.
SAML with IP surrogate offers an improved user experience and correctly identifies more of the user’s traffic with fewer cookie incompatibility issues. After the user has authenticated with their IDP, the user’s private IP address is used to identify additional requests from the same user based on the user's IP address. This approach has two main advantages:
- Once the user has authenticated, all traffic from the user’s IP address is associated to the user. This includes browser and non-browser application traffic. In contrast, cookie surrogate can only add user identity to traffic from the user’s browser.
- IP surrogate is less dependent on cookies and solves several issues commonly experienced when using SAML with cookie surrogates.
- IP surrogates will add identity to Non-Web browser traffic based on the IP address.
- IP Surrogates does not break OCSP/Certificate Revocation checks which do not support cookies
- IP surrogates does not break individual web requests which do not support cookies. Sometimes cookies are blocked for individual requests due to the Content Security Policy of the website. This restriction applies to many popular Content Delivery Networks.
- IP surrogates will add the identity and match the policy when the target domain/category has been bypassed from HTTPS Decryption using an Umbrella Selective Decryption. Note, HTTPS inspection is required for the initial acquisition of the user’s identity and the regular identity rechecks which are dependent on cookies.
For the above reasons, IP surrogates is now the default option when configuring SAML for the first time. IP surrogates does require the user’s private IP address be visible, which is the case when using Tunnels without NAT or a Proxy Chain with XFF header. Where the user’s private IP address is not visible or, an IP address is shared by multiple users (Citrix, VDI environment etc.), then cookie surrogate is recommended. The SAML configuration has been designed to allow a mix of IP surrogate and cookie surrogates within a single organization if required.
These above pre-requisites and more details about configuration are covered in the Umbrella documentation.