Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Replies 13 replies
  • Subscribers 5 subscribers
  • Views 4414 views
  • Users 0 members are here
Options
Suggested

Intercept X EAP issues with SAML Authentication

Keith Hartung

We have observed that the systems we tested the Early Access Agent on have run into issues with SAML Authentication. Any system we installed the BETA version on has broken authentication relying on our Hybrid Azure ADFS for authentication. Meaning that the users affected cannot log into any of our internal applications that usually rely on Single Sign ON via ADFS. Any attempts to log in to applications/resources reliant on this authentication result in null values being sent to ADFS, based on review of the logs from Azure.

I will add, that if we uninstall the EAP/BETA version and install the main version the issue is resolved. 

Parents
  • 0

    We have seen the same issue with a customer that recently (last week) got the new endpoint agent from Sophos (https://support.sophos.com/support/s/article/KB-000043550?language=en_US).

    Before the update clients were able to authenticate using adfs with sso. This is when logging in to internal applications.
    After the update the ADFS page suddenly shows a login prompt and it doesn't matter which login credentials you provide, it will just not log you on and bring the credentials popup back.

    The customer found out that if they removed the Sophos Endpoint Agent it would work again, so we started looking in that direction.
    We tested by pulling a laptop that was offline for 20 days from the shelve, try the sso login -> worked, forced a sophos agent update and reboot, try the sso login again -> didn't work anymore.

    After a lot of research we found out it was the "Real Time Scanning - Internet" on the client option that caused this. When we disabled that option SSO worked again.
    As a workaround we've now added the client domain as a website exclusion in the endpoints policy and this fixed the issue right away for all their endpoints.

    The most confusing was that it didn't show any errors or blocks anywhere from Sophos. Not on the client, not in Sophos Central.
    Could be because they're running InterceptX Essentials, but would've at least liked to see something. Hope this is not a preview of what is going to happen for all our customers in the upcoming weeks...

  • 0 in reply to Jeroen Trippe

    Do you see Server Sent Events (SSE) failing in the Developer tool of the browser?

  • 0 in reply to Sophos User930

    Hard to say now, as we already have the workaround in place...
    Had to do this in the base policy because of interceptx essentials, so there's no real way to troubleshoot anymore unless I want to break it again for all machines.

  • 0 in reply to Jeroen Trippe

    On a test computer, you could go into:

    HKLM\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection

    In the approved_site_patterns value, I assume you see the exclusion you made.  With Tamper Off, you could remove it and restart the "Sophos Network Threat Protection" service.  I assume this then breaks the site again?

    If so, do you see "red" entries in the Network view?  I assume if you add the domain column, it will be a resource from the domain you excluded?

    Do these appear to be SSE related requests?

    Thanks.

  • 0 in reply to Sophos User930

    I'll ask the customer if they still have a test machine available for me. Will get back to you!

Reply Children
No Data
Unfiltered HTML