Handling SSO in Qualys WAS

Document created by Dave Ferguson Employee on Sep 30, 2016Last modified by Dave Ferguson Employee on Jan 3, 2017
Version 5Show Document
  • View in full screen mode

A common authentication mechanism used by web applications is single sign-on (SSO).  This introduces complexity and can cause some confusion when it comes to authenticating and scanning with Qualys WAS. 


The following scenario is common.


You need to scan WebApp ABC, which runs at https://abc.company.com/.  However, when you open https://abc.company.com/ in your browser, you are redirected to another site at https://sso.company.com/login.  The page here contains a login form with username and password input fields.  Upon submitting valid credentials, you are automatically redirected back to WebApp ABC to a URL such as https://abc.company.com/welcome and you're free to use the application.  


The process works like this:


A typical web application SSO scenario


To handle this in WAS, first make sure you have the target URL in your web app profile set to https://abc.company.com/.  The application you want to scan (WebApp ABC) resides here, so that is what the target should be. 


The redirection to a different site during the login process will necessitate using a Selenium script.  The Standard and Custom authentication options within WAS will not work.  However, by leveraging Selenium, WAS can easily log in and test the authenticated surface area of the application. 


Note that in most cases we want to avoid scanning the content on sso.company.com.  Assuming that's true, do not add "sso.company.com" to the crawl scope. 


First a little about Selenium.  Selenium is an open source, free suite of tools designed to automated web application testing.  One of the modules is called Selenium IDE, which is a Firefox extension and is the only module you will need.  Selenium IDE allows you to record and play back scripts.  A Selenium script is a set of commands that represent interactions with a web browser.  The commands may include such things as opening a URL, clicking a link, typing into an input field, submitting a form, or even waiting a certain amount of time.  Selenium IDE saves scripts as .html or .xml files. 


One of the key things to understand about Selenium is that it functions at the browser level.  What happens on the server side is unimportant.  To illustrate, the underlying technology in SSO may be SAML, OAuth, CAS, or something else.  As a user with a browser, the underlying technology doesn't matter to what you're trying to do, so it doesn't matter when playing back Selenium scripts either.


Now let's look at a Selenium authentication script for the above scenario.  It's really quite simple.  Here is a screenshot of Selenium IDE with the script loaded.


Typical Selenium script for SSO


You can find the script itself attached to this article.  There are only 5 commands in the script and there is nothing that references "sso.company.com".  It's not needed because after the initial open command, an automatic redirection to the login page on "sso.company.com" occurs.  The "waitForElementPresent" command tells Selenium to wait until an element called "txtUsername" (the username input field) is seen in the DOM of the page.  Essentially, this command gives time for the redirection to happen and the page at https://sso.company.com/login to fully load and render.


The next three commands in the script enter the username and the password and submit the form by clicking on the login button (the "btnLogin" element).  Nothing else is needed because a successful login results in a seamless and automatic redirection back to the web app you're trying to scan, namely WebApp ABC.


Once the script is working in Firefox, open Qualys WAS and upload the script into the web app's authentication record.   Run a discovery scan to test the authentication.


Tip #1:  Always make sure your Selenium scripts runs successfully in Firefox first using Selenium IDE.  If it doesn't work in Firefox, it is not going to work in Qualys WAS.


Tip #2:  If your web application does not function in Firefox at all, install the User Agent Switcher extension.  This extension allows you to change your user agent string and pretend to be a different browser.  This not guaranteed overcome the issue, but it's certainly worth a try.  The WAS option profile allows for changing user agent as well.


Finally, in case you are interested, feel free to watch recorded videos about WAS and Selenium.

5 people found this helpful