Users accessing internet sites/services via Cloud SWG using WSS Agent.

SAML authentication enabled for WSS Agent, with Okta as the Identity provider.

WSS Agents running on macOS platform.

Username/password based authentication works great, but when using multi-factor authentication users cannot complete the authentication.

The Okta fastpass (passwordless) option is rendered in the WSS Agent authentication popup, but no action is taken when the user selects the fast pass option.

Okta fastpass.

SAML authentication.

WSS Agent.

Need to enable additional authentication configurations, only available with WSS Agent 9.8.1.

Enable ephemeral authentication support using the following command:

sudo "/Applications/Symantec WSS Agent.app/Contents/MacOS/wssad" -p samlWebAuth=ephemeral

Multi factor authentication added with WSS Agent 9.8.1 release.

If you use samlWebAuth=ephemeral, then you get a "clean" private browsing window (with no cookies and no cache) every time the window pops up (so - every time auth is requested and it isn't saml-session-restored).  So - there will be NO way for the browser to auto-login the user when using ephemeral.

When using samlWebAuth=non-ephemeral, it will open a new non-private browser window so any session or persistent cookies you have in your browser (even from your normal browsing) could be used by the IdP to automatically log in.