Users accessing internet via WSS using the WSS Agent.
When SAML authentication is enabled, some users do not get the SAML login page rendered successfully within the popup window.
WSS Agent users seeing 404 status or timeout errors as are reported below :
No traffic appears to be sent to the IDP server. Logs and PCAPs show no inbound traffic when users encounter this problem.
Accessing http://pod.threatpulse.com URL in a browser allows the redirect to the IDP server where the login page is rendered correctly, indicating an issue with the agent login.
WSS Agent 8.x on Windows.
SAML authentication enabled for WSS Agent users.
Microsoft Webview plugin, used to render the login page, has issues preventing it from doing so.
Microsoft has recently released a major update to Webview framework (called Webview2) which works seamlessly with the WSS Agent. Note that WSS Agent 8.x is required as 7.x only supports the original Webview.
After making sure the Windows host is running WSS Agent 8.x, download and install the Webview2 Evergreen version from Microsoft.
WSS Agent 8.x also prompts the user to upgrade to latest Webview2 framework automatically if it is not already installed.
1. Administrator privileges are required to perform this installation.
2. WebView2 evergreen version receives automatic updates to stay on the latest and most secure platform. Hence WebView2 evergreen version is recommended.
Wireshark traces show communication to the original URL, and saml.threatpulse.net as expected, but no request to the SAML IDP server.
Debugging Webview is extremely difficult as there is no logging available by default.
Debugging Webview2 is much easier and has a troubleshooting plugin to trace the authentication traffic. Simply right click the SAML popup window and select "Inspect" to view the developer console.
The plug-in needs to be installed as administrator and installed system-wide (not per-user).