Incorrect username reported with WSS Agent UI when SAML authentication enabled causing valid requests to be blocked
search cancel

Incorrect username reported with WSS Agent UI when SAML authentication enabled causing valid requests to be blocked

book

Article ID: 270892

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

After integrating Cloud SWG with SAML authentication with an Azure AD SAML IDP server, authentication is working fine but the wrong username is displayed on the WSS Agent UI.

The 'Username' string also changes with every login - it seems to have the same length but the fields are completely random.

User accessing O365 gatelets are being denied when they theoretically should be allowed. 

Environment

Azure SAML IDP server.

WSS Agent.

Cause

Azure IDP server not sending the assertion it was configured to send.

Resolution

Make sure the Azure Cloud SWG application 'Single Sign On' settings are configured to send the Unspecified Name Identifier format.

Although this was the case in the above scenario, the persistent name identifier was being sent with a random pseudonym instead - hence the ID in the WSS Agent UI and not the username. To address the issue, we changed the Name Identifier format in Azure to another format (Email) and then switched it back to Unspecified. This obviously forced a re-read of the Azure configuration at which point all started working again.

Additional Information

Gathering the HAR file when the SAML assertion was generated is key to troubleshooting these type of issues. In our case, the assertion includes what we suspected and saw in the WSS Agent UI as per snippet below:

<Subject>
    <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">4-K9rww8Rps3YG3KFwHpT5wjSMfGEG4U8k0eQD3290Y</NameID>
        <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="_f64cf7ba749d0a31d32acbf51080089252118e13552b036be5831b7bda3f34ad" NotOnOrAfter="2023-08-02T10:52:48.356Z" Recipient="https://saml.threatpulse.net:8443/saml/saml_realm/bcsamlpost"/>
        </SubjectConfirmation>
</Subject>

 

As the assertion configuration did NOT match the persistent Name Identifier format defined, the decision to switch the Azure configuration and force a re-apply of the config was done. Here are the name identifier format fields in the Azure SAML Single sign on settings that were changed.

Powered by Wolken Software