does the connection require a client certificate installed in the application? It sounds like this is the case. I If SSL Inspection needs to be done here, we need the client certificate on the Web Gateway to be able to inspect the connection.
In this case the vendor will give you the certificate and you need to import it on the Web Gateway, which is a typical setup we already did a couple of times. Given that my understanding of the client certificate is correct.
If a 3rd party certificate is allowed to be installed onto the proxy to allow authentication with the application with an certificate (sitting inside the network), what is the risk and impact with this arrangement (sInce the proxy will now have the certificate and be able to communicate/authenticate to the vendor SaaS Application server)? If there is no risk, can we bypass SSL Scanning for the 3rd party domain inside our proxies?
I don't see any risk installing the third party certificate on the Web Gateway. It is a client certificate that exists on the client machine anyway and from a security perspective I think certificates are better secured on infrastructure machines (Proxy Server) rather than on the endpoint.
The only difference is that the Web Gateway is now able to take a look into the traffic that is passed to this specific SaaS application (the certificate is not valid or usable for anything else). Doing SSL inspection allows you to scan within the encrypted communication but certainly the traffic is touched by the proxy, in case there is any incompatibility with the application this may lead to problems (same risk as with other applications that are used on the Internet).
It is up to you or some decision maker within your company. If you think there might be malicious or confidential data being sent to or received from that application it would make sense to inspect the traffic. If you trust the vendor you can bypass the application from SSL inspection.