search cancel

WSS Agent with SAML authentication enabled displaying 404 page not found message instead of IDP login page

book

Article ID: 213452

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS Agent enabled with SAML authentication

When user enables the WSS agent, a popup appears on the screen as shown below with a 404 status code - user has no option to enter credentials

 

 

If the user moves the popup to the side, opens a browser and manually browses to http://pod.threatpulse.com, the SAML IDP server login page is presented and user can login. 

Cause

Microsoft Defender client firewall blocking requests to the SAML endpoints (WSS SAML SP and Azure SAML IDP server in this case)

Environment

Windows 10 workstation

WSS Agent 7.3.1

Microsoft Defender firewall enabled

Resolution

Whitelist all WSS Agent executables from going through Microsoft Defender

- C:\Program Files\Symantec\WSS Agent\wssad.exe
- C:\Program Files\Symantec\WSS Agent\wssa-ui.exe
- C:\Windows\System32\WWAHost.exe

The WWAHost is what is presented in the SAML login popup and what is used to send the requests needed to handle the communication to the IDP server (pod.threatpulse.com, saml.threatpulse.net as well as the IDP server domains).

You can also whitelist the IP addresses of these hosts too if you want to avoid doing it at the application level. 

 

Screenshot of Defender configuration: Showing IP address changes but where the App bypass will go too.

Attachments