Unexpected SAML Auth Behavior

BetterInvestingBetterInvesting
edited September 26 in Firebox - VPN Mobile User

We've already opened a ticket for this, but I wanted to throw this out to the community to see if anyone else is seeing similar behavior.

We are using the Mobile SSL VPN Client version 12.11.4 with an M290 on firmware 12.11.3.B719894.
With SAML requests going to Entra/Azure

When I installed Office 2021 LTSC.
I said yes to the prompt asking if I wanted to allow my credentials to be used to log in to all Microsoft products. (Office, Teams, Onedrive, Edge, ect ect).

I've applied the 12.11.4 workaround in regards to copying the WatchGuard folder to the AppData/local folder.
When I run the client and auth with SAML. The webview2 window opens and is white for a few seconds, and then says You've been successfully authenticated and nothing happens. The window doesn't close, and the connection doesn't establish.
The log shows the following.
2025-09-26T10:16:04.300 Requesting client configuration from XXX.XXX.XXX.XXX:443
2025-09-26T10:16:07.991 Navigation complete.

If I right-click within the WebView2 window and click refresh, it closes the window and completes the connection successfully to the firewall.

I assume that the prompt with the Office install to use the credentials is allowing me to bypass actually having to go through the auth process on the webview2 screen.
My co-worker specified No on that Office install screen when prompted to use the creds for all Microsoft products, because he wants to be able to log in to each Microsoft product with different creds. He has to go through the whole login process on the webview2 screen in order to authenticate the SAML VPN connection.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BetterInvesting

    This appears to match a bug that was submitted recently related to MS accounts getting stuck on successfully authenticated. That bug is FBX-30414.

    The workaround seems to be either
    -Pressing F5 in the SSLVPN browser window to force a refresh.
    or
    -Right-clicking a blank area inside the window and selecting refresh.

    If your case hasn't yet been marked with that bug, please mention FBX-30414 to the technician. They can mark the case with it and let you know when a fix is available.

    -James Carson
    WatchGuard Customer Support

  • sega2k6sega2k6

    We're having the same issue.....
    Refreshing the SSLVPN browser window looks like it's doing the authentication steps, and then the SSLVPN client says it's logged in, but cannot access any internal resources......

    Bizarrely, if we delete the entire user profile (c:\users{username}), once the user logs back in, the SSLVPN then works as expected, but that is going to be a painful experience to do that for all users....

  • Dave_DanielsDave_Daniels WatchGuard Representative

    Hi @sega2k6 and @BetterInvesting,

    Can you try this possible workaround?

    On Entra
    Create a conditional access policy
    On the Users, add the user you are testing with that is having the issue. (Later you can add the full sslvpn group if it works for you)
    On Target resources, add the sslvpn application that was created for the SAML integration.
    On Session, set the sign-in frequency to Every time
    Set policy to ON position
    Click Create

    Wait for about 30 mins for Entra to apply the changes. There seems to be a delay on this.

    Then test. Does this allow your user to manually sign into the mini saml browser now?

  • BetterInvestingBetterInvesting

    @Dave_Daniels
    I created the policy per your directions and tested.
    The new behavior is as follows.
    After clicking connect, the WebView2 window opens. Then it refreshes to the username page, which is already populated, and then refreshes to the password page, which is also already populated, and then it refreshes to the MFA page.
    Here it stops with the 2-digit pin that I have to enter in the Microsoft Authenticator App and then approve in that app. Once I do that, the MFA page disappears, and the success page appears, and after 5 or so seconds, it closes, and the VPN connection continues on to completion, ending with an active connection.

  • Input_InteriorInput_Interior

    Hello @Dave_Daniels ,

    I had the same issue as the original poster and tested your work around and it started working on my own computer.
    But when I test this on my collegues computer Im presented with a white window (I guess this is the WebView2 window). Nothing happens when I try to refresh it. (I tried F5, Ctrl+r and right click refresh)
    I've made sure that they used the 12.11.4 client version.
    I also noticed that it is working fine on a newly installed computer. (Even if the SSL VPN client version is 12.11.3)

    As sega2k6 mentioned, he got it working for a user by removing the user profile folder.
    I tried using another user profile on one of the compters that had issues and got it working.
    Is there any user profile files that I should be aware of that might be causing these issues?

Sign In to comment.