search cancel

"Can't reach this page" error on WSS Agent popup with SAML Authentication enabled


Article ID: 238836


Updated On:


Web Security Service - WSS


WSS Agent used to connect to WSS

SAML Authentication enabled so that users get a popup to enter their SAML IDP login credentials

Instead of getting the WSS Agent popup page, the following error is reported indicating that the page cannot be reached


The WSS SAML configuration was not pointing to the correct SAML IDP server, but actually pointing to WSS SAML endpoints.

Admin had imported the WSS SAML metadata into the SAML IDP metadata field, triggering WSS into sending the SAML AuthnRequest to itself! 


WSS Agent 7.3.x+ with SAML support



Make sure that the exported SAML IDP Server metadata (Azure in our case) is imported into the WSS Portal. The endpoint URL and Entity ID will reference Azure endpoints and not endpoints when the problem occurs.

Additional Information

Can bring up a browser and access to confirm if the IDP login page is rendered (seperate from the WSS Agent login approach). If this fails, as it did here, it implies a general SAML issue that is independent of WSS agent.

Reproducing this in a browser or popup and getting HAR file, we could see the following exchanges (NOTE that the SAML AuthnRequest is being sent to BCSAMLPOST endpoint, which is where the SAML IDP server sends the assertion/SAMLResponse) 

Identifying this as the culprit allows the admin point to the SAML SP configuration (WSS in this case) sending the AuthnRequest to the wrong location - checking the WSS SAML SP configuration then showed up the error.