Enable IP Surrogates for User Authentication
You can add internal networks for your integrated SSO authentication IdP that connect on Registered Networks or Network Tunnels through the Secure Access Secure Web Gateway.
The connections on the internal networks bypass the SAML IP surrogate authentication challenge and revert to SAML with cookie surrogates. You should bypass IP surrogates for internal networks from IP surrogates where the IP address is shared by a number of users, such as a virtual desktop deployment. In these cases, where an IP address is shared, we recommend cookie surrogates because they associate the user's browser session to the identity. Internal networks must be defined for the IP address before you can add it to the IP surrogate bypass list.
Add an Internal Network to the IP Surrogate for Registered Networks and Network Tunnels in Network Tunnel Groups where the internal IP address is not visible or is shared by multiple users. Once added, the internal networks will bypass the SAML IP surrogate authentication challenge.
Before you begin
- Full Admin user role. For more information, see Manage Accounts.
- At least one configured user authentication IdP integration. For more information, see Add User Authentication Profiles.
- Internal private IP addresses are visible. IP surrogate needs to be able to see the internal private IPs.
- Proxy networks with XFF or network tunnels without NAT.
- In Secure Access, enable HTTPS inspection.
- Do not delete cookies at the end of a browser session, or browse in incognito mode.
Procedure
| 1 |
Navigate to Connect > Users and User Groups, and then click Configuration management. 
|
| 2 |
On the Advanced Settings tab, toggle on IP Surrogate. The Internal Network bypass option appears. 
|