Intercept X EAP issues with SAML Authentication

We have observed that the systems we tested the Early Access Agent on have run into issues with SAML Authentication. Any system we installed the BETA version on has broken authentication relying on our Hybrid Azure ADFS for authentication. Meaning that the users affected cannot log into any of our internal applications that usually rely on Single Sign ON via ADFS. Any attempts to log in to applications/resources reliant on this authentication result in null values being sent to ADFS, based on review of the logs from Azure.

I will add, that if we uninstall the EAP/BETA version and install the main version the issue is resolved. 

Parents
  • We have seen the same issue with a customer that recently (last week) got the new endpoint agent from Sophos (https://support.sophos.com/support/s/article/KB-000043550?language=en_US).

    Before the update clients were able to authenticate using adfs with sso. This is when logging in to internal applications.
    After the update the ADFS page suddenly shows a login prompt and it doesn't matter which login credentials you provide, it will just not log you on and bring the credentials popup back.

    The customer found out that if they removed the Sophos Endpoint Agent it would work again, so we started looking in that direction.
    We tested by pulling a laptop that was offline for 20 days from the shelve, try the sso login -> worked, forced a sophos agent update and reboot, try the sso login again -> didn't work anymore.

    After a lot of research we found out it was the "Real Time Scanning - Internet" on the client option that caused this. When we disabled that option SSO worked again.
    As a workaround we've now added the client domain as a website exclusion in the endpoints policy and this fixed the issue right away for all their endpoints.

    The most confusing was that it didn't show any errors or blocks anywhere from Sophos. Not on the client, not in Sophos Central.
    Could be because they're running InterceptX Essentials, but would've at least liked to see something. Hope this is not a preview of what is going to happen for all our customers in the upcoming weeks...

Reply
  • We have seen the same issue with a customer that recently (last week) got the new endpoint agent from Sophos (https://support.sophos.com/support/s/article/KB-000043550?language=en_US).

    Before the update clients were able to authenticate using adfs with sso. This is when logging in to internal applications.
    After the update the ADFS page suddenly shows a login prompt and it doesn't matter which login credentials you provide, it will just not log you on and bring the credentials popup back.

    The customer found out that if they removed the Sophos Endpoint Agent it would work again, so we started looking in that direction.
    We tested by pulling a laptop that was offline for 20 days from the shelve, try the sso login -> worked, forced a sophos agent update and reboot, try the sso login again -> didn't work anymore.

    After a lot of research we found out it was the "Real Time Scanning - Internet" on the client option that caused this. When we disabled that option SSO worked again.
    As a workaround we've now added the client domain as a website exclusion in the endpoints policy and this fixed the issue right away for all their endpoints.

    The most confusing was that it didn't show any errors or blocks anywhere from Sophos. Not on the client, not in Sophos Central.
    Could be because they're running InterceptX Essentials, but would've at least liked to see something. Hope this is not a preview of what is going to happen for all our customers in the upcoming weeks...

Children