MacOS "NSURLErrorDomain error code -999" error on WSS Agent SAML login popup screen after user session expires on IDP server
search cancel

MacOS "NSURLErrorDomain error code -999" error on WSS Agent SAML login popup screen after user session expires on IDP server


Article ID: 238885


Updated On:


Cloud Secure Web Gateway - Cloud SWG


WSS Agent setup and working well on MacOS

Users authenticate to WSS via SAML protocol where the session lifetime on WSS is 12 hours; their IDP session lifetime is also 12 hours

If a user keeps the machine unlocked and comes in after more than 12 hours of inactivity, the WSS agent popup screen displays the login page with NSURLErrorDomain error code -999 as shown below:

Clicking reload would cause the page to load correctly.


Version Monterey 12.2.1

WSSA version 8.0.60

3rd Party IDP server running on premise, but externally available too




IDP server having issues handling requests with stale cookies


Switch the SAML AuthnRequests from using the Redirect binding to using the POST binding on WSS side

Additional Information

Agent communication to WSS via endpoint returned the expected redirect to when session expired on WSS side. generated a SAML AuthnRequest and sent it to the IDP server, so we know that the communication to the IDP server was successful. 

After that, the client made a large number of requests to the IDP server at the same time (when successful we typically had one or two sessions!)

Knowing that the issue was with the IDP server In terms of troubleshooting, we enabled the ability to inspect the network traffic from within the popup generate a HAR file with the SAML popup using the following commands

sudo "/Applications/Symantec WSS" -p signalAction=enableWebViewDevTools
sudo killall -SIGUSR2

When done, we saw the HAR file and could see constant redirects from the IDP server to itself when the problem occured. The session information that was passed with the requests were invalid most likely as cookies were being expired. By clicking 'reload' on page, all cookies are reset as it simulates a request to the IDP server for the first time.

We POSTed the SAML authentication request instead of using the redirect, and this sorted the issue out from IDP side. We didn't get detailed logs from IDP server to understand why.