Troubleshoot SAML Authentication

Certificate Warnings

Sixty days before a certificate in the signing chain expires, the Symantec Web Security Service sends the administrators registered with the account a notification e-mail. Subsequent e-mails continue.This allows ample time to log in to the portal and add valid certificates.

Certificate Errors

SAML Cert Errors

  • Unsupported AlgorithmSymantec supports and recommends SHA2 for the WSS SAML integration. SHA1 is supported but not recommended. The limit for RSA and DSA algorithms is 2048.
  • Unsupported Key Size—For appropriate security level, the Key Size must be 2048 or greater.
  • Issuer—If WSS detects a break in the certificate chain, it displays the orphaned certificate and prompts for you to add the correct parent certificate. Click Add New Certificate and add the contents.

Clear Associated Auth Surrogates and Restart Authentication

If a client is experiencing SAML-related connection issues with the WSS, you can instruct the user to enter a URL that stops the connection to the WSS. The URL is https://notify.threatpulse.net/logout. The following occurs.

  • The user is logged out of the asset that currently maintains that connection in the WSS datacenter. If the user has existing valid sessions to other assets, those sessions will continue to be valid.
  • The user is not logged out of the SAML IdP.
  • If a user attempts to browse after logging out, they might be immediately be re-authenticated without the credential prompt. The WSS redirects to the IdP, where the user is still logged in, for authentication. Typically, the IdP uses a session cookie to identify the user's authenticated session. The IdP then redirects back to the WSS with a SAML assertion, and the user is signed back to the WSS asset. Because of this, Symantec recommends invoking the URL in a logout script or after the browser is closed so that session cookies are forgotten.

Internet Explorer Sessions

Some 3rd party extensions in Internet Explorer might cause the process to hang and never fully close down. As a result, the sessions might not end when an employee closes the IE window. The sessions will eventually time out, however. To see more about this issue, refer to the following Microsoft article.

http://answers.microsoft.com/en-us/ie/forum/ie9-windows_vista/after-closing-ie-windows-iexploreexe-processes-are/a3b1536d-1732-4f63-92d3-8fa927946d80

Other Errors

SAML Error Description/Symptom

Possible Cause
Employees receiving Failed to Connect browser errors after attempting to authenticate.
  • The employee's browser might not trust the SSL server certificate from the IDP.
  • Certificate error or not correctly created.

Various run-time errors.

The IDP does not recognize the Web Security Service entity ID because the federation is broken (or was never created) at the IDP..
The IDP fails to authenticate a known valid user. User does not exist or entered wrong password multiple times.

SAML Bypass List