How to test?
Now, it's time to validate your work. Before testing your integration, please make sure you have done all steps at 3.1.1. How to set it up?
1. Use a device and login to your cloud application as you do everyday.
2. After entering correct username and password on your SSO service (IdP), you should be redirect to an OPSWAT page (from the URL bar of your browser, you can see it's redirected to https://cac.opswat.com/....). From there, OPSWAT will process device posture check based on configured Cloud Access settings on your MetaAccess account.
3. If a device is blocked from access the application, you should expect to see a remediation page which tells you why you are blocked
4. If a device is allowed to access the application you should expect that you are able to log in to the application.
There are some common mis-configuration you may enter. Here are some use cases you may face during your testing.
Case 1: You are not redirected to OPSWAT page after logging successfully
This happens when you have not updated the application settings on your IdP to enforce the IdP forward user authentications to OPSWAT MetaAccess after a user logs in successfully. To fix this issue, please check out Step 4. Update Applications settings on Identity Provider
Case 2: You are redirected to an other application after logging successfully
You have at least 2 applications which are integrated to MetaAccess. However, after a user logs in successfully, the user is redirected to an other application instead of the application he/she is trying to log in. This happens when you replace wrong loginURL of the application on IdP. Please verify again the loginURL you used to replace the loginURL of the application on IdP. More details is at Step 4. Update Applications settings on Identity Provider
Case 3: The application doesn't let me log in due to certificate issue
The application throws an error message to tell that it couldn't validate the authentication like the below screenshot
A root cause for this case is your application doesn't trust a SAML message which OPSWAT sends to your application. This issue happens when you has not imported OPSWAT certificate to SSO settings on your application. Follow steps in Step 5. Configure SSO settings on applications to update it.
Case 4: The application doesn't let me log in due to wrong log in URL
The application throws an error to say that you log in from a wrong URL like the below screenshot
The root cause is you configured wrong Log in URL on the MetaAccess console. The URL there should be a post-back SSO URL.
Case 5: OPSWAT blocks a device from accessing an application because no agent installed but the device already installed an agent
A user can get the below error message
Follow our KB to verify if the device is on your account or get device information on the endpoint.
This can happen in one of the following cases
the agent is connecting to other account.
Solution: uninstall the agent on the device and install a new with the new installer which can be downloaded from the block page.
the agent is running an old agent version which has not supported this feature. The agent should be 18.104.22.168+ for Windows and 10.4.147.0+ for macOS. We have not supported Linux/iOS/Android devices, as a result, we allow these devices to access the application no matter what.
Solution: this issue can happen
your account disables auto-upgrade for agent. If that is the case, just need to enable it. Agent will uptake the last version in 1 hour. You also able to reinstall the agent too.
the agent on the device couldn't connect to our server to check the last version. You can check by downloading the file at the URL https://agent-update.opswat.com/windows_installer/gears_config.wak. If you couldn't download, please check your proxy/firewall settings to resolve it. You can follow our KB to whitelist our server addresses.
OR the device is using proxy to access website. As we stated in Step 1. Enable Access Control on your MetaAccess account, when you enable access control on your account, endpoints will open a cross-domain API on local for our cloud to query device id. This API is running with the domain epai.opswatgears.com (127.0.0.1).
Solution: add exception for the domain epai.opswatgears.com not go through proxy servers
OR your DNS couldn't resolve the domain eapi.opswatgears.com.
Try to resolve the domain epai.opswatgears.com on the device and make sure it's resolved as 127.0.0.1
Case 6: OPSWAT doesn't block or allow a device as expected
In this case, you should check the following settings:
Make sure you already enable Access Control on your MetaAccess account as Step 1. Enable Access Control on your MetaAccess account
Verify IdP and applications settings on your MetaAccess account. Make sure you already imported the IdP's certificate and configured applications' mode as expected. Check more details at Step 2. Import Identity Providers and Applications
Exercise your access rules on your MetaAccess account by yourself to see which rule your device meets and what action it will be taken. Note that access rules are processed by order. If you are missing a rule for the application, follow Step 3. Configure Access Rules to add/update rules for it.
We have not supported Linux/iOS/Android devices, as a result, we allow these devices to access the application no matter what.