x509 authentication failing with WSSA and SAML on MacOS devices
Article ID: 240907
Updated On:
Products
Issue/Introduction
SAML Authentication enabled for WSS Agent users
Windows users will single sign on to SAML IDP server using Kerberos
MacOS users MacOS devices not connected to AD domain and single sign on using x509 certificates
When the tunnel is brought up and users are challenged for authentication, the MacOS users fail with "Page load error" and message indicating that one or more parameters are missing
Using Safari on MacOS to authenticate to the IDP server works correctly, hence only an issue with WSS Agent authentication
Environment
MacOS 12.2
WSS Agent 8.0.60 installed (public preview build)
Cause
The MacOS WSS Agent authentication interface (wkwebview) does not support the x509 authentication approach
Resolution
Fixed in WSS Agent 8.1.1 builds and greater.
Additional Information
Need to verify a few things to make sure that x509 is setup correctly:
- x509 certificate must be imported and allowed for us on MacOS side
- IDP server must challenge WSS Agent host for x509 certificate - the following TLS handshake confirms the certificate request from the IDP server; the example confirms the client sends the certificate in the response
- verify all works fine by bringing up a browser on the MacOS host and going to http://pod.threatpulse.com/. This should show the certificate to be selected from a popup within the browser context, where single sign on should succeed.
Attachments
Feedback
