Prerequisites

To configure SAML integration, the following requirements must be met.

id.swg.umbrellagov.com must be sent to Umbrella and not sent directly to the internet.
SAML metadata must have a signing key.
If you are using an on-premises identity provider (IdP) such as ADFS, ensure that traffic to the IdP bypasses the proxy to avoid an authentication loop.
Configure SAML with your identity provider (IdP) that supports SAML 2.0 POST profiles.
Download your IdP's metadata file in XML format.
Enable cookies for your browser.
Enable SAML and HTTPS inspection on a Ruleset that includes the Network identities from which the user traffic arrives.

This Ruleset will initially match and result in the SAML challenge being initiated. The user identity will be obtained after which, the policy will be re-evaluated again, top down, but this time with the user and group identities included. The first Ruleset to match based on the identities will be applied. Typically, there are two approaches to creating the policy that include users/group:

Example 1

Ruleset with users and group identities

Rules based user/group identities

Ruleset with network identities (HTTPS and SAML enabled)

Rules based on Network identities

Example 2

Ruleset with Network and User/Group identities (HTTPS and SAML enabled)

Rules based user/group identities

Rules based on Network

In both examples, the Ruleset with the Network identities will match first. The SAML challenge will be sent, user identities obtained and, the policy re-evaluated but this time with the additional user/group identities. The first Ruleset to match, top down, will be the one applied.

Configure SAML Integrations > Prerequisites > Configure Azure AD for SAML