Users getting blocked accessing valid resources after enabling SAML authentication via Azure SAML IDP server
Article ID: 229700
Updated On:
Products
Issue/Introduction
Users running WSS agent and accessing resources without issues
Switched WSS agent authentication to SAML for testing and same users were blocked from accessing valid resources
Block messages showed valid user data so assumption is that group information was missing
SAML integration with Azure SAML ISP server as per Broadcom documentation
Environment
WSS Agent
Azure SAML IDP server
Azure AD Connect synchronizing on premise AD users into Azure
Cause
Azure IDP server sending SAML assertion with group attribute containing GUIDs and not logical group names
Resolution
Add group claims within Azure SAML IDP server using options below that adds the Active Directory attributes synced from Active Directory instead of Azure AD objectIDs. In our case, we selected the 'NetBIOSDomain\sAMAccountName' format from the drop-down so that the info passed in matched the Group names within Cloud SWG configuration.
Additional Information
We can see that the proxy does not seem to get any group information based on the HTTP log entry for that user – we see the user (yellow) but the group entry is missing (red)
2023-10-26 10:11:28 "DP4-GGBLO11_proxysg3" 132 #.#.#.# [email protected] - - OBSERVED "Technology/Internet" - 200 TCP_NC_MISS GET text/html http pod.threatpulse.com 80 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.30" 192.168.4.86 1472 481 - - - - 0 "client" client_connector "Symantec Web Security Service" "none" #.#.#.# "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - #.#.#.# "United States" - "United Kingdom" 2 - - - - - - - - - - - - - - - - 0c1121139bde6b9f-000000003903bb01-000000006177d450 #.#.#.# "GB"
With the HAR file, we can extract the assertion sent to BCSAMLPOST endpoint … we do see the group attribute but we also see the group values sent are GUIDs and not the group names. (see red below)
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_30c8483d04d4cb90c8f1a78e334aec96c61b27ca206a1bd3316a629c4ba50ad5" NotOnOrAfter="2023-10-26T11:14:41.799Z" Recipient="https://saml.threatpulse.net:8443/saml/saml_realm/bcsamlpost"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2023-10-26T10:09:41.799Z" NotOnOrAfter="2023-10-26T11:14:41.799Z">
<AudienceRestriction>
<Audience>https://saml.threatpulse.net:8443/saml/saml_realm</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>54f7cf29-ec17-41cd-8ed1-8dfd80ecf800</AttributeValue>
<AttributeValue>53aaf3a2-1359-4bed-a24a-2b2fb33f18b8</AttributeValue>
<AttributeValue>26bb7526-06fe-49b1-8fcb-6436b3fd980a</AttributeValue>
<AttributeValue>b0351e19-fde2-48c9-a17e-11d17717092d</AttributeValue>
<AttributeValue>d37e4b0d-1c94-4849-a411-10d3a893029f</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2023-10-26T06:56:32.285Z" SessionIndex="_95a2be1e-f209-48d7-a285-a8e20e63a000">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims includes good information from Azure side.
Feedback
