How HTTPS Inspection Works
Before redirecting a web request to an IdP, Secure Access uses HTTPS inspection to determine if a request is from a browser that supports cookies. Secure Access can establish the identity of a user through the browser cookies and map the user to an IP address. For subsequent requests, Secure Access uses the IP address as a surrogate for the user. Secure Access periodically inspects the cookies in a browser request to ensure the user is mapped to the correct IP address.
Secure Access checks to determine if an IP address has been reassigned; only requests from browsers are checked. This check is affected when browsing in incognito mode or deleting cookies from a browsing session and will require the user to re-authenticate. If the user has not browsed for over 12 hours since the last identity check, the IP is discarded from user to IP mapping until the user re-authenticates. After this, the policy will match either a tunnel or network identity.
Note: When Active Directory IdP users authenticate with a browser installed on a dual stack IPv4/IPv6 device, the IP Surrogates feature will not automatically map both addresses to the user. The user must authenticate twice to map both the IPv4 address and the IPv6 address as user surrogates. Re-authentication will also be enforced separately.