x509 authentication failing with WSSA and SAML on MacOS devices
search cancel

x509 authentication failing with WSSA and SAML on MacOS devices


Article ID: 240907


Updated On:


Cloud Secure Web Gateway - Cloud SWG


SAML Authentication enabled for WSS Agent users

Windows users will single sign on to SAML IDP server using Kerberos

MacOS users MacOS devices not connected to AD domain and single sign on using x509 certificates

When the tunnel is brought up and users are challenged for authentication, the MacOS users fail with "Page load error" and message indicating that one or more parameters are missing


Using Safari on MacOS to authenticate to the IDP server works correctly, hence only an issue with WSS Agent authentication  


MacOS 12.2 

WSS Agent 8.0.60 installed (public preview build)


The MacOS WSS Agent authentication interface (wkwebview) does not support the x509 authentication approach


Fixed in WSS Agent 8.1.1 builds and greater.

Additional Information

Need to verify a few things to make sure that x509 is setup correctly:

- x509 certificate must be imported and allowed for us on MacOS side

- IDP server must challenge WSS Agent host for x509 certificate - the following TLS handshake confirms the certificate request from the IDP server; the example confirms the client sends the certificate in the response

- verify all works fine by bringing up a browser on the MacOS host and going to http://pod.threatpulse.com/. This should show the certificate to be selected from a popup within the browser context, where single sign on should succeed.