When SAML authentication are present when it is enabled for WSS Agent, the authentication is performed before browsing internet.
SAML debugging tools for browser cannot be used.
WSS Agent 8.x or higher with WebView2 (if WebView2 is not installed for some reason, WSS Agent will prompt for installation. Otherwise it can be downloaded and installed separately as described here)
SAML authentication enabled for WSS Agent in Authentication Policy G4 rule:
Here are the steps to enable SAML debugging if it is enabled for WSS Agent:
1. Enable developer tools for WSS Agent
• On Windows OS execute command line as Administrator and run the following command:
sc control wssad 175
• On MacOS
- For machines running the kext version of WSSA (Catalina and earlier) type in the terminal window:
sudo /opt/symantec/wssa/wssad -p signalAction=enableWebViewDevTools
sudo killall -SIGUSR2 wssad
- For machines running the network extension version of WSSA (Big Sur and later)
sudo "/Applications/Symantec WSS Agent.app/Contents/MacOS/wssad" -p signalAction=enableWebViewDevTools
sudo killall -SIGUSR2 com.symantec.wssa.wssax
2. Open WSS Agent and hit on "RECONNECT". While reconnecting, "Waiting for User Authentication" message will appear first:
3. When the new "WSS Login" window appears, right click on it and select the last option
• on Windows OS it is called "Inspect":
• on MacOS it is called "Inspect Element":
4. On Windows OS Developer tool (DevTools) window will open now. Ensure "Network" tab is opened, then enable "Preserve log" and "Disable cache" options:
On MacOS there is not a separate window. If will load as part of "WSS Login" window. Ensure "Network" tab is opened, then enable "Preserve Log":
5. Once again click on "RECONNECT" or "Reload" in WSS Agent window, and you will notice SAML entries appearing in the DevTools window:
• On Windows OS:
• On MacOS:
6. Save the output as har file (by clicking on the arrow pointing down). Currently this option is available only on Windows OS:
If the Webview popup does not appear after enabling the troubleshooting commands above, it maybe because the session is still active on the SAML IDP server. If this is the case, go to the IDP server directly and remove the users session.
If authentication succeeds but there are concerns over the contents of the assertion, the following option exists on the browser to get assertion details:
- open new tab on existing browser
- run developer tools and start capturing network traffic
- go to https://notify.threatpulse.net/logout to logout of the proxy user is accessing
- access http://pod.threatpulse.com
This will generate a new set of SAML redirects which will ultimately end with a POST to bcsamlpost endpoint with the assertion - which can then be looked at and confirm whether attributes and subject match what is expected.