After integrating Cloud SWG with SAML authentication with an Azure AD SAML IDP server, authentication is working fine but the wrong username is displayed on the WSS Agent UI.
The 'Username' string also changes with every login - it seems to have the same length but the fields are completely random.
User accessing O365 gatelets are being denied when they theoretically should be allowed.
Azure SAML IDP server.
Azure IDP server not sending the assertion it was configured to send.
Make sure the Azure Cloud SWG application 'Single Sign On' settings are configured to send the Unspecified Name Identifier format.
Although this was the case in the above scenario, the persistent name identifier was being sent with a random pseudonym instead - hence the ID in the WSS Agent UI and not the username. To address the issue, we changed the Name Identifier format in Azure to another format (Email) and then switched it back to Unspecified. This obviously forced a re-read of the Azure configuration at which point all started working again.
Gathering the HAR file when the SAML assertion was generated is key to troubleshooting these type of issues. In our case, the assertion includes what we suspected and saw in the WSS Agent UI as per snippet below:
<SubjectConfirmationData InResponseTo="_f64cf7ba749d0a31d32acbf51080089252118e13552b036be5831b7bda3f34ad" NotOnOrAfter="2023-08-02T10:52:48.356Z" Recipient="https://saml.threatpulse.net:8443/saml/saml_realm/bcsamlpost"/>
As the assertion configuration did NOT match the persistent Name Identifier format defined, the decision to switch the Azure configuration and force a re-apply of the config was done. Here are the name identifier format fields in the Azure SAML Single sign on settings that were changed.