Cisco Cisco Web Security Appliance S360 Troubleshooting Guide

Contributed by David Paschich and Siddharth Rajpathak, Cisco TAC
Engineers.
Aug 12, 2014

Why are users prompted for authentication when SaaS with Identity Provider initiated flows and NTLM?

Cisco Web Security Appliance (WSA) running AsyncOS versions 7.0 or later

• 

NTLM used for transparent authentication

• 

SaaS Access Control configured using identity−provider initiated flow

• 

SaaS SSO configured

• 

I have SaaS Access Control configured with my external application, using the identity provider−initiated
flow and SAML for single sign−on. I am also using NTLM to transparently authenticate my users. However,
how can I prevent them from seeing this prompt?

When users click on their bookmark for the SaaS SSO URL, they sometimes see the authentication
prompts.

• 

Access works fine if the users access another external website and then click the SaaS SSO URL
bookmark.

• 

This problem occurs when/because the first request the WSA sees from the client is to the special SSO URL,
which is served directly from the WSA.

Content which is served directly from the WSA − such as EUN pages or PAC files − is normally exempt from
authentication. While the SaaS feature can access the authentication surrogates maintained by the proxy, it
cannot itself request authentication using any method besides form−based authentication (NTLM or LDAP).
So the observed behavior is per design but is not an optimal solution.

Defect CSCzv55859 is filed to track this problem and to provide a better mechanism to address this issue.

There are two workarounds available.