WSS Agent enabled with SAML authentication
When user enables the WSS agent, a popup appears on the screen as shown below with a 404 status code - user has no option to enter credentials
If the user moves the popup to the side, opens a browser and manually browses to http://pod.threatpulse.com, the SAML IDP server login page is presented and user can login.
Microsoft Defender client firewall blocking requests to the SAML endpoints (WSS SAML SP and Azure SAML IDP server in this case)
Windows 10 workstation
WSS Agent 7.3.1
Microsoft Defender firewall enabled
Whitelist all WSS Agent executables from going through Microsoft Defender
- C:\Program Files\Symantec\WSS Agent\wssad.exe
- C:\Program Files\Symantec\WSS Agent\wssa-ui.exe
The WWAHost is what is presented in the SAML login popup and what is used to send the requests needed to handle the communication to the IDP server (pod.threatpulse.com, saml.threatpulse.net as well as the IDP server domains).
You can also whitelist the IP addresses of these hosts too if you want to avoid doing it at the application level.
Screenshot of Defender configuration: Showing IP address changes but where the App bypass will go too.