Why does WSS Agent with SAML Authentication reference two different usernames?
Article ID: 241011
Updated On:
Products
Issue/Introduction
WSS Agent with SAML Authentication
User successfully logs in but WSS Agent references two separate username entities
a) the username logged into the Windows or MacOS host
b) the NameIdentifier sent by the SAML IDP server when the user logs in that way
How are these usernames treated differently in the context of WSS, and which one gets used by WSS?
Resolution
The username used to login to the Windows or MacOS host is used for the name of the tunnel until SAML is authenticated. Until authentication is complete, no traffic can flow through the tunnel.
Once SAML authentication completes and data is sent from the host into WSS, we will use the SAML NameIdentifier in the WSS logs. Here's an example for the HTTP access logs in the above case:
2022-05-05 08:10:16 "DP2-GGBLO99_proxysg3" 284 181.20.25.251 [email protected] - - OBSERVED "Technology/Internet" - 200 TCP_NC_MISS GET text/html http pod.threatpulse.com 80 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" 192.168.2.86 1484 581 - - - - 0 "client" client_connector "Symantec Web Security Service" "-" 35.227.235.56 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 35.227.235.56 "United States" - "Ireland" 2 - - - - - - - - - - - - - - - - 2001:0DB8:3658:6d2d:7386:321f:329b:1764 2ee2420f3b36a442-0000000000b44680-0000000062738667 46.235.152.243 46.235.152.243 "GB" "United Kingdom"
Attachments
Feedback
