search cancel

users cannot authenticate successfully via SAML IDP server when accessing WSS services

book

Article ID: 242911

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS Administration done via UPE.

SAML authentication is enabled for all users accessing WSS services explicitly.

Users browsers point to proxy.threatpulse.net(8080) users are never redirected to the configured SAML IDP server for authentication.

Browser plugins such as SAML Tracer / Developer tools show that when accessing any web site via WSS, user is correctly redirected to https://saml.threatpulse.net:8443 before seeing timeout errors such as the following:

Cause

DNS lookup restrictions pushed out to WSS tenant

Environment

UPE Managed WSS tenant

On premise Proxy has DNS restrictions

DNS restrictions pushed out to WSS tenant

Resolution

Disable DNS restrictions via UPE, or keep the DNS restrictions but define exceptions for threatpulse.com domain as shown below:

 

Prior to this change, the policy pushed out included the following CPL that was causing WSS to fail and complete the authentication:

restrict dns
. ; all
end
restrict rdns
all
end

Additional Information

The /HTTP/DEBUG output on the proxy gives a clue as to DNS being engaged (DoH). With DNS clue, we could identify the DNS restrictions and validate issue related.

// Working

5821.752 HTTP   Explicit HTTP INFO   HTTP CW 10E0D5DFA40                    Returning 200 OK for CONNECT
5821.752 HTTP   Explicit HTTP DEBUG  HTTP CW 10E0D5DFA40                    [Return_http_message]
5821.752 HTTP   Explicit HTTP DEBUG  HTTP CW 10E0D5DFA40                    [Set_transaction_icap_response_info]
5821.752 HTTP   Explicit HTTP DEBUG  HTTP CW 10E0D5DFA40                    [Return_http_status]
5821.752 HTTP   Explicit HTTP INFO   HTTP CW 10E0D5DFA40                    CONNECT URL destined for cert auth service 'SAML_realm_service' at 199.19.250.205:8443
5821.752 HTTP   Explicit HTTP INFO   HTTP CW 10E0D5DFA40                    CONNECT URL (after DNS resolution) destined for service 'SAML_realm_service' at 199.19.250.205:8443
5821.752 HTTP   Explicit HTTP INFO   HTTP CW 10E0D5DFA40                    Looking for secure service at '199.19.250.205:8443' (idx=0):
5821.752 HTTP   Explicit HTTP DEBUG  HTTP CW 10E0D5DFA40                    [Handoff_local_service]
5821.752 HTTP   Explicit HTTP INFO   HTTP CW 10E0D5DFA40                    request from: 10.230.0.37, URL: tcp://saml.threatpulse.net:8443/
5821.752 HTTP   Explicit HTTP INFO   HTTP CW 10E0D5DFA40                    ClassificationID: 13
5821.752 HTTP   Explicit HTTP DEBUG  HTTP CW 10E0D5DFA40                    [Determine_flow]
5821.752 HTTP   Explicit HTTP INFO   HTTP CW 10E0D5DFA40                    SET_FUNCTION_PTR: CW_Object::Determine_flow line: 954

// Non working

5344.615 HTTP   Explicit HTTP INFO   HTTP CW 10DB62A5A40                    Returning 200 OK for CONNECT
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Return_http_message]
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Set_transaction_icap_response_info]
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Return_http_status]
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Detect_tcp_tunnel_protocol]
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Set_up_http_connect_tunnel]
5344.615 HTTP   Explicit HTTP INFO   HTTP CW 10DB62A5A40                    SET_FUNCTION_PTR: CW_Object::Set_up_http_connect_tunnel line: 4491
5344.615 HTTP   Explicit HTTP INFO   HTTP CW 10DB62A5A40                    Choosing tunneled request flow
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Determine_cacheability_flow]
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Handoff_RTMPT_Request]
5344.615 HTTP   Explicit HTTP INFO   HTTP CW 10DB62A5A40                    DoH handoff bypassed
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    DoH: (not detected). Unsupported method 65538
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Handoff_doh_request]
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    application name = none
5344.615 HTTP   Explicit HTTP INFO   HTTP CW 10DB62A5A40                    Could not determine service for tcp://saml.threatpulse.net:8443/
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Handoff_local_service]
5344.615 HTTP   Explicit HTTP INFO   HTTP CW 10DB62A5A40                    request from: 10.230.0.30, URL: tcp://saml.threatpulse.net:8443/
5344.615 HTTP   Explicit HTTP INFO   HTTP CW 10DB62A5A40                    ClassificationID: 13
5344.615 HTTP   Explicit HTTP DEBUG  HTTP CW 10DB62A5A40                    [Determine_flow]
5344.615 HTTP   Explicit HTTP INFO   HTTP CW 10DB62A5A40                    SET_FUNCTION_PTR: CW_Object::Determine_flow line: 954

Attachments