IPSEC users asked to authenticate to SAML IDP server every 10-15 minutes when IP surrogate timeout set to 12 hours
Article ID: 245403
Updated On:
Products
Issue/Introduction
IPSEC users authenticate to WSS using IP surrogates with a session timeout set to 12 hours.
Auth Connector is enabled but not doing anything in terms of user authentication - may be used in future for WSS Agent roaming users.
WSS users using Microsoft Teams / Sharepoint report that the application stops working after about 10-15 minutes.
Some users on CORS enabled applications claim the application breaks after after about 10-15 minutes.
If the user goes back to a standard web site and browses successfully, the above Applications start to work again. This is because the SAML session is renewed and continues to work until next auth connector update.
Environment
Users accessing WSS using IPSEC access method
SAML authentication enabled with IP surrogates
Auth Connector enabled on WSS tenant
Cause
Bug in WSS where an auth connector setup (cloud_realm) can clear the SAML session information (saml_realm).
Resolution
WSS Engineering team has identified fix and pushed out fix end of July 2022. Should this type of issues be seen, workarounds include:
- Disable the Auth Connector if possible (not needed with SAML)
- If Auth Connector required due to other access methods (WSS Agent for example), block the TCP connection from the Auth Connector to the data center where IPSEC users are connected too. The Auth COnnector communication into the WSS Agent data center can continue without issues.
Feedback
