search cancel

SAML popup showing blank page with MacOS when WSS completely bypassed with SAC

book

Article ID: 254037

calendar_today

Updated On:

Products

Secure Access Cloud Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSS Agent is used on MacOS to send traffic into SAC.

Users bypass WSS completely for web traffic by adding IP bypasses for 1.1.1.1/1 and 128.1.1.1/1 - only need to forward SAC destined traffic into WSS.

SAML enabled on WSS but instead of getting the SAML IDP server login page, a blank page is returned.

HAR file shows user request to http://pod.threatpulse.com but instead of a redirect, we get a 204 response with no payload (hence the blank page).

 

Environment

WSS Agent 8.2.1.

SAML Authentication to Okta IDP server.

SAC integration with WSS.

 

Cause

WSS IP address bypass causes DNS requests returned to be ignored by the WSS Agent, causing requests to pod.threatpulse.com to go direct to the host and not via WSS.

Resolution

Apply WSS Agent 9.0.62+.

This addresses an issue where we will intercept DNS requests for the required bypass domains.

Additional Information

WHen troubleshooting WSS Agent SAML issues on the MacOS, it's important to run Symdiag and the grab the HAR file in parallel. 

The HAR file is obtained by running the following 2 commands on the MacOS terminal first, and then rick clicking the blank page (or IDP login page) and selecting the INSPECT option:

sudo "/Applications/Symantec WSS Agent.app/Contents/MacOS/wssad" -p signalAction=enableWebViewDevTools
sudo killall -SIGUSR2 com.symantec.wssa.wssax

Note that HAR file often cannot be exported from MacOS when problems occur, and hence it is important from the user to take screenshots of the requests/responses. This can be used to confirm we get 307 redirects to saml.threatpulse.com and not 204s that trigger blank pages.