search cancel

WSS agent users cannot login when SAML authentication enabled

book

Article ID: 233577

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users accessing internet via WSS using the WSS Agent.

When SAML authentication is enabled, some users do not get the SAML login page rendered successfully within the popup window.

WSS Agent users seeing 404 status or timeout errors as are reported below :

 

 

No traffic appears to be sent to the IDP server. Logs and PCAPs show no inbound traffic when users encounter this problem.

Accessing http://pod.threatpulse.com URL in a browser allows the redirect to the IDP server where the login page is rendered correctly, indicating an issue with the agent login.

Cause

Microsoft Webview plugin, used to render the login page, has issues preventing it from doing so.

Microsoft has recently released a major update to Webview framework (called Webview2) which works seamlessly with the WSS Agent. Note that WSS Agent 8.x is required as 7.x only supports the original Webview.

Environment

WSS Agent 8.x on Windows.

SAML authentication enabled for WSS Agent users.

Resolution

After making sure that Windows host is running WSS Agent 8.x, download and install the Webview2 runtime plugin from Microsoft. 

WSS Agent 8.x will also prompt the user to upgrade to latest Webview2 framework. 

 

Additional Information

Wireshark traces show communication to the original URL, and saml.threatpulse.net as expected, but no request to the SAML IDP server.

Debugging Webview is extremely difficult as there is no logging available by default.

Debugging Webview2 is much easier and has a troubleshooting plugin to trace the authentication traffic. Simply right click the SAML popup window and select "Inspect" to view the developer console.

The plug-in needs to be installed as administrator and installed system-wide (not per-user). 

Attachments