ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Why does WSS Agent with SAML Authentication reference two different usernames?

book

Article ID: 241011

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS Agent with SAML Authentication

User successfully logs in but WSS Agent references two separate username entities

a) the username logged into the Windows or MacOS host 

b) the NameIdentifier sent by the SAML IDP server when the user logs in that way

How are these usernames treated differently in the context of WSS, and which one gets used by WSS?

Resolution

The username used to login to the Windows or MacOS host is used for the name of the tunnel until SAML is authenticated. Until authentication is complete, no traffic can flow through the tunnel.
Once SAML authentication completes and data is sent from the host into WSS, we will use the SAML NameIdentifier in the WSS logs. Here's an example for the HTTP access logs in the above case:

2022-05-05 08:10:16 "DP2-GGBLO99_proxysg3" 284 181.20.25.251 [email protected] - - OBSERVED "Technology/Internet" - 200 TCP_NC_MISS GET text/html http pod.threatpulse.com 80 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" 192.168.2.86 1484 581 - - - - 0 "client" client_connector "Symantec Web Security Service" "-" 35.227.235.56 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 35.227.235.56 "United States" - "Ireland" 2 - - - - - - - - - - - - - - - - 2001:0DB8:3658:6d2d:7386:321f:329b:1764 2ee2420f3b36a442-0000000000b44680-0000000062738667 46.235.152.243 46.235.152.243 "GB" "United Kingdom"

Attachments