search cancel

x509 authentication failing with WSSA and SAML on MacOS devices

book

Article ID: 240907

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

SAML Authentication enabled for WSS Agent users

Windows users will single sign on to SAML IDP server using Kerberos

MacOS users MacOS devices not connected to AD domain and single sign on using x509 certificates

When the tunnel is brought up and users are challenged for authentication, the MacOS users fail with "Page load error" and message indicating that one or more parameters are missing

 

Using Safari on MacOS to authenticate to the IDP server works correctly, hence only an issue with WSS Agent authentication  

Cause

The MacOS WSS Agent authentication interface (wkwebview) does not support the x509 authentication approach

Environment

MacOS 12.2 

WSS Agent 8.0.60 installed (public preview build)

Resolution

Fixed in WSS Agent 8.1.1 builds and greater.

Additional Information

Need to verify a few things to make sure that x509 is setup correctly:

- x509 certificate must be imported and allowed for us on MacOS side

- IDP server must challenge WSS Agent host for x509 certificate - the following TLS handshake confirms the certificate request from the IDP server; the example confirms the client sends the certificate in the response

- verify all works fine by bringing up a browser on the MacOS host and going to http://pod.threatpulse.com/. This should show the certificate to be selected from a popup within the browser context, where single sign on should succeed.

Attachments