Per-User Identification and Policy Enforcement Challenges in Secure Web Gateway (SWG) for Shared-Computer Environments with SAML Authentication and PAC-Based Traffic Forwarding

Available Languages

Download Options

  • PDF     (4.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (97.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (80.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 19, 2026
Document ID:225505

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

In Cisco Secure Web Gateway (SWG) deployments utilizing Secure Access with SAML authentication and PAC-based or Branch to Internet traffic forwarding, only the first user logged into a shared computer is correctly identified for web traffic and policy enforcement. Upon switching users, subsequent web traffic continues to be attributed to the initial user, even when the IP Surrogate option is disabled and a PAC file is used. DNS queries reflect the correct active user via Umbrella Virtual Appliance, but web and firewall logs persistently map activity to the previous user. The request is to determine if SWG supports per-user identification and policy enforcement in shared-computer environments and how to ensure correct user mapping.

Environment

  • Virtual Appliance for DNS resolution.
  • SAML authentication for user identity.
  • Mix of traffic forwarding with PAC and without PAC files.
  • IP surrogate option enabled, with specific subnets and hosts bypassed for cookie surrogate.
  • On-Prem devices; no remote endpoints or users.

Resolution

The issue was resolved by user education and configuration guidance with these points in mind:

  • Use Cookie Surrogate identification with PAC files. The traffic can route into or out of a network tunnel.
  • Use Cookie Surrogate identification without PAC files, but the traffic has to route through a network tunnel.
  • The access policy that you wish to enforce cookie surrogate must have SAML authentication enabled in the security profile.
  • Cookie surrogate traffic is for browser-based traffic only. A separate rule is needed to identify non-cookie traffic from the machine (for example, Teams or Webex traffic) with the source identity as the network.
  • The SWG module must not in-use for cookie surrogate to work.
  • When IP surrogate is also enabled, you must add the private IP addresses/subnets that intend to use cookie surrogate in the bypass list (Users and Groups - Configuration Management - Advanced Settings).
  • The bypass list for cookie surrogate also matches shorter prefixes. For example, if you add 10.10.10.0/24 into the bypass list, and you also have a defined network as 10.10.10.5/32, you must also select the shortest prefix.
  • The cookie surrogate supports user switching from a machine without having to log out to retain multiple identities.

A lot of the troubleshooting has been policy testing and activity search.

Cause

The root cause of incorrect user identification in shared-computer environments is primarily due to user education.

Related Content

Revision History

Revision Publish Date Comments
1.0
11-Mar-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Amit Arora
    Technical Consulting Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco