search cancel

Is SAML and auth-connector authentication dual-run supported?


Article ID: 240798


Updated On:


Web Security Service - WSS


Customers moving from Auth-connector based authentication to WSS Agent SAML authentication want to know how the authentication switch over is done and if it is possible to phase the SAML authentication roll-out?


SAML authentication for WSS Agent is presented on the WSS portal as an on/off switch [Images 1 and 2].

[Image 1] WSS Agent SAML authentication switch (SAML authentication is turned off)

[Image 2] WSS Agent SAML authentication switch (SAML authentication is turned on)


WSS Agent - any supported versions.


When SAML authentication is enabled the WSS portal adds some conditions to the policy that branch-out from the default authentication realm (which is either Agent identification alone or Agent identification + Auth-connector) to the SAML authentication mode (or realm).

If the conditions are not met the default authentication mode continue to be used.

Now, the conditions that needs to be matched for the SAML authentication branch-out are:

  • access method is WSS Agent
  • WSS Agent SAML authentication is enabled on the portal
  • WSS Agent is at version 7.3 and above

So, if you have an agent base that is below 7.3 you can use the agent upgrade process (from 6.1 or 7.1 for example) to phase in the SAML authentication rather than upgrading all agents to a newer version and turn SAML authentication for all users after the upgrade is completed.