Troubleshoot SAML Authentication
Sixty days before a certificate in the signing chain expires, the Symantec Web Security Service sends the administrators registered with the account a notification e-mail. Subsequent e-mails continue. This allows ample time to log in to the portal and add valid certificates.
- Unsupported Algorithm—Symantec supports and recommends SHA2 for the WSS SAML integration. SHA1 is supported but not recommended. The limit for RSA and DSA algorithms is 2048.
- Unsupported Key Size—For appropriate security level, the Key Size must be 2048 or greater.
- Issuer—If WSS detects a break in the certificate chain, it displays the orphaned certificate and prompts for you to add the correct parent certificate. Click Add New Certificate and add the contents.
Clear Associated Auth Surrogates and Restart Authentication
If a client is experiencing SAML-related connection issues with the WSS, you can instruct the user to enter a URL that stops the connection to the WSS. The URL is https://notify.threatpulse.net/logout. The following occurs.
- The user is logged out of the asset that currently maintains that connection in the WSS datacenter. If the user has existing valid sessions to other assets, those sessions will continue to be valid.
- The user is not logged out of the SAML IdP.
- If a user attempts to browse after logging out, they might be immediately be re-authenticated without the credential prompt. The WSS redirects to the IdP, where the user is still logged in, for authentication. Typically, the IdP uses a session cookie to identify the user's authenticated session. The IdP then redirects back to the WSS with a SAML assertion, and the user is signed back to the WSS asset. Because of this, Symantec recommends invoking the URL in a logout script or after the browser is closed so that session cookies are forgotten.
Internet Explorer Sessions
Some 3rd party extensions in Internet Explorer might cause the process to hang and never fully close down. As a result, the sessions might not end when an employee closes the IE window. The sessions will eventually time out, however. To see more about this issue, refer to the following Microsoft article.
SAML Error Description/Symptom
|Employees receiving Failed to Connect browser errors after attempting to authenticate.||
Various run-time errors.
|The IdP does not recognize the WSS entity ID because the federation is broken (or was never created) at the IdP.|
|The IdP fails to authenticate a known valid user.||User does not exist or entered wrong password multiple times.|
SAML Bypass List
The following Knowledge Base article lists what the WSS SAML policy currently bypasses.