ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Why does WSS Agent with SAML Authentication reference two different usernames?


Article ID: 241011


Updated On:


Web Security Service - WSS


WSS Agent with SAML Authentication

User successfully logs in but WSS Agent references two separate username entities

a) the username logged into the Windows or MacOS host 

b) the NameIdentifier sent by the SAML IDP server when the user logs in that way

How are these usernames treated differently in the context of WSS, and which one gets used by WSS?


The username used to login to the Windows or MacOS host is used for the name of the tunnel until SAML is authenticated. Until authentication is complete, no traffic can flow through the tunnel.
Once SAML authentication completes and data is sent from the host into WSS, we will use the SAML NameIdentifier in the WSS logs. Here's an example for the HTTP access logs in the above case:

2022-05-05 08:10:16 "DP2-GGBLO99_proxysg3" 284 [email protected] - - OBSERVED "Technology/Internet" - 200 TCP_NC_MISS GET text/html http 80 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36" 1484 581 - - - - 0 "client" client_connector "Symantec Web Security Service" "-" "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - "United States" - "Ireland" 2 - - - - - - - - - - - - - - - - 2001:0DB8:3658:6d2d:7386:321f:329b:1764 2ee2420f3b36a442-0000000000b44680-0000000062738667 "GB" "United Kingdom"