ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

"Can't reach this page" error on WSS Agent popup with SAML Authentication enabled

book

Article ID: 238836

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS Agent used to connect to WSS

SAML Authentication enabled so that users get a popup to enter their SAML IDP login credentials

Instead of getting the WSS Agent popup page, the following error is reported indicating that the pod.threatpulse.com page cannot be reached

Cause

The WSS SAML configuration was not pointing to the correct SAML IDP server, but actually pointing to WSS SAML endpoints.

Admin had imported the WSS SAML metadata into the SAML IDP metadata field, triggering WSS into sending the SAML AuthnRequest to itself! 



Environment

WSS Agent 7.3.x+ with SAML support

 

Resolution

Make sure that the exported SAML IDP Server metadata (Azure in our case) is imported into the WSS Portal. The endpoint URL and Entity ID will reference Azure endpoints and not saml.threatpulse.net endpoints when the problem occurs.

Additional Information

Can bring up a browser and access http://pod.threatpulse.com to confirm if the IDP login page is rendered (seperate from the WSS Agent login approach). If this fails, as it did here, it implies a general SAML issue that is independent of WSS agent.

Reproducing this in a browser or popup and getting HAR file, we could see the following exchanges (NOTE that the SAML AuthnRequest is being sent to BCSAMLPOST endpoint, which is where the SAML IDP server sends the assertion/SAMLResponse) 

Identifying this as the culprit allows the admin point to the SAML SP configuration (WSS in this case) sending the AuthnRequest to the wrong location - checking the WSS SAML SP configuration then showed up the error. 

 

Attachments