Skip to main content
Question

ADFS Authentication for BYOD for SWG

  • December 13, 2025
  • 2 replies
  • 64 views
B
Netskope Partner

I would like to get some clarification on a Netskope SWG + DLP deployment scenario.

We have established a firewall tunnel to the Netskope cloud and integrated ADFS for user authentication. Both corporate-managed devices and BYOD devices (phones and personal laptops) are connected to the same LAN and their traffic is forwarded to Netskope through the tunnel.

My question is regarding BYOD behavior:

  • When ADFS authentication is enabled, are BYOD devices expected to experience browsing or authentication issues?

  • How does Netskope handle user identification and authentication for non-domain-joined devices in this setup?

  • Are there recommended best practices for handling BYOD traffic when using ADFS with a firewall-based forwarding architecture?

Any guidance or real-world experience would be appreciated.

2 replies

notskope
  • notskope
  • New Member III
  • December 16, 2025

 

  • When ADFS authentication is enabled, are BYOD devices expected to experience browsing or authentication issues?

It depends if you are using SSL decryption or not. If you are decrypting SSL traffic through the tunnel your BYOD devices will not be able to browse HTTPS sites without SSL errors.

  • How does Netskope handle user identification and authentication for non-domain-joined devices in this setup?

Netskope does not care at all if your devices are AD joined when steering via an IPSEC/GRE tunnel. Authentication is done via SAML for both (unless bypassed) and uses IP or cookie caching (if you have enabled it).

  • Are there recommended best practices for handling BYOD traffic when using ADFS with a firewall-based forwarding architecture?

I don’t know of anything specific to ADFS, but:

 Both corporate-managed devices and BYOD devices (phones and personal laptops) are connected to the same LAN and their traffic is forwarded to Netskope through the tunnel.

You should really not have managed and unmanaged devices on the same network. One reason being the above SSL decryption issues. Decrypt the traffic from managed devices and do not decrypt BYOD traffic.

Former Netskope PS Consultant, Current Netskope customer
    S
    Netskope Employee
    • saini
    • Netskope Employee
    • January 5, 2026

    Hi ​@bismarkky-78715a38 

    In a firewall‑tunneled SWG deployment, ADFS + BYOD is supported and BYOD should not inherently face browsing issues, as long as they can complete the ADFS web SSO flow.
     

    How it works for non‑domain‑joined/BYOD devices

    • Netskope does not require the device to be domain‑joined.

    • Users on BYOD authenticate via ADFS (SAML) in the browser.

    • Netskope then builds an IP‑to‑user mapping, so subsequent traffic from that IP is tied to the authenticated user.

    Issues typically appear only if ADFS or Netskope auth policies enforce requirements BYOD cannot meet (e.g., device certificates, AD join, or very aggressive re‑auth).

    Recommended best practices

    • Where possible, place BYOD on a separate VLAN/subnet or public IP range, so you can apply different SWG/DLP policies to BYOD vs corporate devices.

    • Use an ADFS/SAML flow that works for unmanaged devices 

    • Avoid very short session timeouts to prevent repeated prompts that look like “browsing issues.”

    • If allowed, consider Netskope Client on BYOD for stronger user/device binding than IP‑only mapping.

    So BYOD can work cleanly with ADFS + firewall‑based SWG, provided IdP and auth policies are tuned for non‑domain‑joined devices.

     

      Badges Winner

      Show all badges

      Not finding what you're looking for?

      Don't be shy and let us know about your challenge.

      Ask your question here!
      Terms & ConditionsCookie settingsAccessibility statement