Websites or applications fail to complete SAML authentication

book

Article ID: 167370

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

SAML authentication is enabled under your Web Security Service (WSS) account.

Some websites or applications cannot complete SAML authentication causing various types of errors.

Note: This article is only relevant to an Explicit Proxy connection method using cookie surrogate.

Cause

WSS uses a "surrogate" value, a cookie on the browser, to reduce the authentication process on every HTTP connection.  

Once a user is successfully authenticated with WSS, a cookie surrogate is provided (Explicit Proxy access method).

Cookie surrogates are valid for the time defined in the WSS portal. The default is the lifetime of the browser session or 24 hours, whichever comes first. To apply the cookie to the domain, WSS must be able to redirect the client.

After the surrogate expires, the user must complete a full authentication sequence to revalidate the user.

The authentication process is not always successful. Reasons include, but are not limited to, issues where the client does not:

  • Respect an HTTP/307 redirect.
  • Support saving or presenting session-based cookies (such as those for effective TLDs, or sites that implement Cross-Origin Resource Sharing).
  • Support challenge-based authentication (HTTP 401).
  • Parse JavaScript/POST requests (to send the SAML assertion to saml.threatpulse.net).

Environment

Web Security Service

SAML

Explicit Proxy with cookie surrogate

Resolution

To mitigate this issue, WSS only redirects a user for SAML authentication if the request came from a Mozilla or Mozilla-compatible browser (e.g. Internet Explorer, Firefox, etc.).

Symantec has noted that several clients spoof the User Agent, yet clients are still unable to comply with the required redirect and cookie setting.

Bypassed domains

Symantec has listed some specific User Agents and URLs of known User Agents, and destinations that fail SAML authentication.

Domain/URL

Comment

officeimg.vo.msecnd.net 

Microsoft office help documentation does not support SAML redirect or cookies.

office.microsoft.com 

Microsoft office help documentation does not support SAML redirect or cookies.

open.bbci.co.uk 

Sports results from the BBC homepage have issues with AJAX query and the SAML redirect response.

code.jquery.com 

Microsoft Visual Studio external requests.

ajax.googleapis.com 

Microsoft Visual Studio external requests.

cdnjs.cloudflare.com 

Microsoft Visual Studio external requests.

adobe.com 

Adobe updater and installer do not expect SAML authentication.

w3.airbusdoc.com 

Airbus support portal. Loading external content fails with SAML enabled.

activate.netsupportsoftware.com 

Netsupport activation and registration URL. Activation fails with SAML enabled.

clientconfig.microsoftonline-p 

Required for MS Lync activation after the first installation.

cloudfront.net 

Effective TLD (cannot set a domain-wide cookie for sub-domains).

blogspot.com 

 Effective TLD (cannot set a domain-wide cookie for sub-domains).

blogspot.co.uk 

 Effective TLD (cannot set a domain-wide cookie for sub-domains).

dilbert.com 

 Embedded images (hot linked) do not follow the SAML redirect.

geo.kaspersky.com 

 Kaspersky Anti-Virus updates.

ftp.dell.com/Published/Data 

 Dell System Analysis Software.

googleapis.com 

 Effective TLD (cannot set a domain-wide cookie for sub-domains).

githubusercontent.com 

 Effective TLD (cannot set a domain-wide cookie for sub-domains).

fastly.net 

 Effective TLD (cannot set a domain-wide cookie for sub-domains).

mt0.google.com 

JSON requests from the browser embedded Google maps application fails to present the SAML session cookie. This results in a redirect loop and failure to load the map.

googleusercontent.com 

 Google Chrome Web Store - not following redirects to SAML SP.

hp5.a.woopic.com 

 Browser does not provide SAML cookie for TTF and WOOF (Icon files) loaded through CSS.

c64.assets-yammer.com 

 Browser does not POST the assertion to this domain.

layout.eurosport.com 

 Browser does not provide SAML cookie for TTF and WOOF (Icon files) loaded through CSS.

www.google.com/maps/vt 

 XML query for map data - not providing SAML cookie within Google Maps preventing map data from loading. 

googleusercontent.com 

 Chrome Webstore - browser not providing SAML cookie for some content.

ggpht.com 

 Google Street View not providing SAML cookie in some transactions to this domain.

fbstatic-a.akamaihd.net/rsrc.php 

 CSS required as part of Facebook log-in, not providing SAML session cookie.

cdn-files.deezer.com 

 Icon files failing to load (now resolved as part of the below policy).

capen.daveslab.co.uk 

 Content Security Policy not providing SAML cookie. Required for prizes.rednoseday.com.

payments.daveslab.co.uk 

 Precautionary, to allow payments to process for charity website prizes.rednoseday.com.

khms0.google.com 

 Google satellite view. Browser not providing SAML session cookie for this domain.

khms1.google.com 

 Google satellite view. Browser not providing SAML session cookie for this domain.

khms2.google.com 

 Google satellite view. Browser not providing SAML session cookie for this domain.

khms3.google.com 

 Google satellite view. Browser not providing SAML session cookie for this domain.

www.heroku.com 

 Effective TLD (cannot set a domain-wide cookie for sub-domains).

herokuapp.com 

 Effective TLD (cannot set a domain-wide cookie for sub-domains).

api.mongolab.com 

 Content-Security-Policy (Cross-Origin Resource Sharing) - prevents the SAML authentication cookie from being set.

fpdownload2.macromedia.com 

 Macromedia Flash updates get stuck in an authentication loop.

amazonaws.com 

 Subdomain Effective TLDs.

amazonaws.cn 

 Subdomain Effective TLDs.

intropdf.com 

 The PDF reader fails to send a SAML assertion to the SP after authenticating to the IDP.

tile.openstreetmap.org 

 OCS uses CORS.

www.google.com/recaptcha/api 

 IDaaS IDP uses these resources for IDP authentication.

www.google.com/js 

 IDaaS IDP uses these resources for IDP authentication.

install.nitropdf.com 

 NitroPDF is a third-party PDF reader and does not follow the redirect back to the SP after IDP authentication.

officeapps.live.com 

Required for inserting images into Office Outlook 2013.

apps.skype.com 

 Required for Skype.

mm.bing.net 

Attaching images to Outlook emails fails when SAML is enabled.

r1.res.office365.com 

 Viewing Action items in Outlook emails failed with SAML enabled.

www.google.com/_/chrome/ 

 Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".

www.google.co.uk/_/chrome/ 

 Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".

www.google.fr/_/chrome/ 

 Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".

www.google.be/_/chrome/ 

 Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".

www.google.nl/_/chrome/ 

 Opening new tabs in Google Chrome would sometimes result in "Invalid SAML POST".

assets-yammer.com 

 Browser does not POST the assertion to this domain.

pack.google.com 

 Google spellchecker fails to complete SAML transaction.

seb.se 

 Effective TLD (cannot set a domain-wide cookie for sub-domains).

mappy.net 

 Map objects don't follow the redirect to validate SAML cookie.

tile.openstreetmap.org 

 Map objects don't follow the redirect to validate SAML cookie.

openlayers.org 

 Also used by openstreetmap. Objects don't follow the redirect to validate SAML cookie.

vocollectacademy.com

 Unable to load PPT files for training content.

application5.globaleservice.com

 Customer-specific request.

msecnd.net

 Content delivery network

akadns.net 

 Akamai content

iecvlist.microsoft.com

 Microsoft updates

ie9cvlist.ie.microsoft.com

 Microsoft updates

rssinclude.com

 RSS feeds

gstatic.com

 Google static content

c.microsoft.com 

 Microsoft updates

blob.core.windows.net 

 SAML transaction incomplete

optimize.webtrends.com

 SAML transaction incomplete

windowsupdate.com

 Windows update fails to complete SAML transaction

brunswick.streaming.mediaservices.windows.net 

 SAML transaction incomplete

amp.azure.net 

 SAML transaction incomplete

supermapcloud.com 

 SAML transaction incomplete

gb.symcd.com 

 SAML transaction incomplete

maps.google.com/maps/api 

 Google Maps API not completing SAML

ccu.viamichelin.com 

 SAML Assertion are not posted to IDP

cloudapp.net 

 Effective TLD

laskurit.net

 Embedded images fail to parse the SAML redirect when they are the first HTTP request

captive.apple.com

 Captive portal detection from Apple devices

www.msftncsi.com 

 Microsofts Network Connection Status Indicator doesn't complete SAML transaction.

epaper.paris-normandie.fr 

 Does not send SAML cookie

mail-attachment.googleusercontent.com 

 Does not send SAML cookie

kmapi.dotmobil.com 

 Does not send SAML cookie

milibris.com 

 Does not send SAML cookie 

Bypassed agents

The following User Agents, Headers, and File Extensions are also known to fail SAML authentication. This list can be used as a basis for crafting your own lists.

Note: For privacy reasons, this list does not contain some customer-specific domains or User-Agents.

User-Agents, if it contains:

  • MSOffice: Viewing images inside Microsoft Outlook fails with SAML enabled.
  • ms-office: Clicking links inside office applications (for example, Microsoft Excel).
  • Google Earth: Prevents Google Earth from crashing during an attempt to perform SAML authentication.

Other headers:

  • X-OfApp: WINWORD
  • X-OfVer: 15
  • X-OfApp: OUTLOOK
  • X-OfVer: 14

File extensions:

  • .WOFF:  Browser embedded Content-Security-Policy prevents the browsers from following redirects to the SAML authentication IDP/SP.
  • .WOFF2:  Browser embedded Content-Security-Policy prevents the browsers from following redirects to the SAML authentication IDP/SP.
  • .TTF:  Browser embedded Content-Security-Policy prevents the browsers from following redirects to the SAML authentication IDP/SP.

Caution: With the addition of the Symantec Authentication Policy controls, Symantec no longer proactively maintains this list. Refer to Exempt From Authentication for further information on how to bypass domains from authentication.