WSS Agent with SAML Authentication
User successfully logs in but WSS Agent references two separate username entities
a) the username logged into the Windows or MacOS host
b) the NameIdentifier sent by the SAML IDP server when the user logs in that way
How are these usernames treated differently in the context of WSS, and which one gets used by WSS?
The username used to login to the Windows or MacOS host is used for the name of the tunnel until SAML is authenticated. Until authentication is complete, no traffic can flow through the tunnel.
Once SAML authentication completes and data is sent from the host into WSS, we will use the SAML NameIdentifier in the WSS logs. Here's an example for the HTTP access logs in the above case:
2022-05-05 08:10:16 "DP2-GGBLO99_proxysg3" 284 188.8.131.52 [email protected] - - OBSERVED "Technology/Internet" - 200 TCP_NC_MISS GET text/html http pod.threatpulse.com 80 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" 192.168.2.86 1484 581 - - - - 0 "client" client_connector "Symantec Web Security Service" "-" 184.108.40.206 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 220.127.116.11 "United States" - "Ireland" 2 - - - - - - - - - - - - - - - - 2001:0DB8:3658:6d2d:7386:321f:329b:1764 2ee2420f3b36a442-0000000000b44680-0000000062738667 18.104.22.168 22.214.171.124 "GB" "United Kingdom"