ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Is SAML and auth-connector authentication dual-run supported?

book

Article ID: 240798

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Customers moving from Auth-connector based authentication to WSS Agent SAML authentication want to know how the authentication switch over is done and if it is possible to phase the SAML authentication roll-out?

Cause

SAML authentication for WSS Agent is presented on the WSS portal as an on/off switch [Images 1 and 2].

[Image 1] WSS Agent SAML authentication switch (SAML authentication is turned off)

[Image 2] WSS Agent SAML authentication switch (SAML authentication is turned on)

Environment

WSS Agent - any supported versions.

Resolution

When SAML authentication is enabled the WSS portal adds some conditions to the policy that branch-out from the default authentication realm (which is either Agent identification alone or Agent identification + Auth-connector) to the SAML authentication mode (or realm).

If the conditions are not met the default authentication mode continue to be used.

Now, the conditions that needs to be matched for the SAML authentication branch-out are:

  • access method is WSS Agent
  • WSS Agent SAML authentication is enabled on the portal
  • WSS Agent is at version 7.3 and above

So, if you have an agent base that is below 7.3 you can use the agent upgrade process (from 6.1 or 7.1 for example) to phase in the SAML authentication rather than upgrading all agents to a newer version and turn SAML authentication for all users after the upgrade is completed.

Attachments