Manage IP Surrogates for SSO Authentication

The Cisco Secure Access Secure Web Gateway (SWG) uses a cookie surrogate for Security Assertion Markup Language (SAML) authentication. Secure Access checks if a cookie is set in the HTTPS request. If the cookie surrogate is not set in the HTTP header, then Secure Access can not authenticate the user's connections to secure internet destinations.

We recommend using IP surrogates when the user's private IP address is visible, when your network tunnels don't use NAT, or when your networks incorporate a Proxy Chain with the X-Forwarded-For (XFF) request header. If the user’s private IP address or an IP address is shared by multiple users, then we recommend using cookie surrogates. You can bypass IP surrogates for the internal networks that you add to an SSO authentication identity provider (IdP) integration.

Table of Contents

Prerequisites

  • Full Admin user role. For more information, see Manage Accounts.
  • At least one configured user authentication IdP integration. For more information, see Add User Authentication Integrations.
  • Internal private IP addresses are visible. IP surrogate needs to be able to see the internal private IPs.
  • Proxy networks with XFF or network tunnels without NAT.
  • In Secure Access, enable HTTPS inspection.
  • We do not recommend that you delete cookies at the end of a browser session, or browse in incognito mode.

HTTPS Inspection

Before redirecting a web request to an IdP, Secure Access uses HTTPS inspection to determine if a request is from a browser that supports cookies. Secure Access can establish the identity of a user through the browser cookies and map the user to an IP address. For subsequent requests, Secure Access uses the IP address as a surrogate for the user. Secure Access periodically inspects the cookies in a browser request to ensure the user is mapped to the correct IP address.

Secure Access checks to determine if an IP address has been reassigned; only requests from browsers are checked. This check is affected when browsing in incognito mode or deleting cookies from a browsing session and will require the user to re-authenticate. If the user has not browsed for over 12 hours since the last identity check, the IP is discarded from user to IP mapping until the user re-authenticates. After this, the policy will match either a tunnel or network identity.

Procedure

Enable IP Surrogates for User Authentication IdP

You can add internal networks for your integrated SSO authentication IdP that connect on Registered Networks or Network Tunnels through the Secure Access Secure Web Gateway.

The connections on the internal networks bypass the SAML IP surrogate authentication challenge and revert to SAML with cookie surrogates. You should bypass IP surrogates for internal networks from IP surrogates where the IP address is shared by a number of users, such as a virtual desktop deployment. In these cases, where an IP address is shared, we recommend cookie surrogates because they associate the user's browser session to the identity. Internal networks must be defined for the IP address before you can add it to the IP surrogate bypass list.

Add an Internal Network to the IP Surrogate for Registered Networks and Network Tunnels in Network Tunnel Groups where the internal IP address is not visible or is shared by multiple users. Once added, the internal networks will bypass the SAML IP surrogate authentication challenge.

  1. Navigate to Connect > Users and User Groups, and then click Configuration Management.

  2. Navigate to SSO authentication, and then expand an integrated SSO authentication IdP.

  3. Click Edit to modify the SSO authentication IdP.

  4. Enable IP Surrogate.

    The Internal Network bypass option appears.

Add Internal Networks for Bypass

After you enable IP Surrogate, add internal networks. The user connections on internal networks bypass the SAML IP surrogate authentication challenge for traffic to the Secure Access Secure Web Gateway.

  1. Navigate to Connect > Users and User Groups, and then click Configuration Management.
  2. Navigate to SSO authentication, and then expand an integrated SSO authentication IdP.
  3. Click Edit to modify the SSO authentication IdP.
    Confirm that you enabled the IP Surrogate option for the SAML IdP integration.
  4. Click Internal Network bypass.
    Select the internal networks that are associated with Registered Networks and Network Tunnels in Network Tunnel Groups.
  5. Expand Network.
    a. Expand a specific Network, and then select the internal networks for the Registered Networks.
    b. Click Apply.
  1. Expand Network Tunnel Groups.
    a. Expand a specific Network Tunnel Group, and then select the internal networks for the Network Tunnels in the Network Tunnel Groups.
    b. Click Apply.

Delete Internal Networks for Bypass

  1. Navigate to Connect > Users and User Groups, and then click Configuration Management.
  2. Navigate to SSO authentication, and then expand an integrated SSO authentication IdP.
  3. Click Edit to modify the SSO authentication IdP.
    Confirm that you enabled the IP Surrogate option for the SAML IdP integration.
  4. Click Internal Network bypass.
    Select the internal networks that are associated with the Registered Networks and Network Tunnels in Network Tunnel Groups.
  5. Expand Network.
    a. Expand a specific Network, and then remove the internal networks for the Registered Networks.
    b. Click Apply.
  1. Expand Network Tunnel Groups.
    a. Expand a specific Network Tunnel Group, and then remove the internal networks for the Network Tunnels in the Network Tunnel Groups.
    b. Click Apply.


Add User Authentication Integrations < Manage IP Surrogates for SSO Authentication > Delete User Authentication Integration