"Can't reach this page" error on WSS Agent popup with SAML Authentication enabled
Article ID: 238836
Updated On:
Products
Issue/Introduction
WSS Agent used to connect to WSS
SAML Authentication enabled so that users get a popup to enter their SAML IDP login credentials
Instead of getting the WSS Agent popup page, the following error is reported indicating that the pod.threatpulse.com page cannot be reached
Cause
The WSS SAML configuration was not pointing to the correct SAML IDP server, but actually pointing to WSS SAML endpoints.
Admin had imported the WSS SAML metadata into the SAML IDP metadata field, triggering WSS into sending the SAML AuthnRequest to itself!
Environment
WSS Agent 7.3.x+ with SAML support
Resolution
Make sure that the exported SAML IDP Server metadata (Azure in our case) is imported into the WSS Portal. The endpoint URL and Entity ID will reference Azure endpoints and not saml.threatpulse.net endpoints when the problem occurs.
Additional Information
Can bring up a browser and access http://pod.threatpulse.com to confirm if the IDP login page is rendered (seperate from the WSS Agent login approach). If this fails, as it did here, it implies a general SAML issue that is independent of WSS agent.
Reproducing this in a browser or popup and getting HAR file, we could see the following exchanges (NOTE that the SAML AuthnRequest is being sent to BCSAMLPOST endpoint, which is where the SAML IDP server sends the assertion/SAMLResponse)
Identifying this as the culprit allows the admin point to the SAML SP configuration (WSS in this case) sending the AuthnRequest to the wrong location - checking the WSS SAML SP configuration then showed up the error.
Attachments
Feedback
