Handling SSO in Qualys WAS

Document created by Dave Ferguson Employee on Sep 30, 2016Last modified by Dave Ferguson Employee on Nov 11, 2019
Version 7Show Document
  • View in full screen mode

A common authentication mechanism used by web applications is single sign-on (SSO).  This introduces complexity and can cause some confusion when it comes to authenticating and scanning with Qualys WAS. 


Here is a common scenario:


You need to scan WebApp ABC, which runs at https://abc.company.com/.  However, when you open https://abc.company.com/ in your browser, you are redirected to another site at https://sso.company.com/login.  The page here contains a login form with username and password input fields.  Upon submitting valid credentials, you are automatically redirected back to WebApp ABC to a URL such as https://abc.company.com/welcome and you're free to use the application.  


The process works like this:


A typical web application SSO scenario


To handle this in WAS, first make sure you have the target URL in your web app profile set to https://abc.company.com/.  The application you want to scan (WebApp ABC) resides here, so that is what the target should be.  Note that in most cases we want to avoid scanning the content on sso.company.com.  Assuming that's true, do not add "sso.company.com" to the crawl scope. 


The redirection to a different site during the login process necessitates using a Selenium script.  The Standard and Custom authentication options within WAS will not work.  By leveraging a Selenium script, WAS can easily log in and test the authenticated surface area of the application. Selenium is an open source, free suite of tools designed to automated web application testing.  A Selenium script is a set of commands that represent interactions with a web browser.  The commands may include such things as opening a URL, clicking a link, typing into an input field, submitting a form, or even waiting a certain amount of time.  Qualys Browser Recorder is a Chrome extension you use to record and play back Selenium scripts.  A Selenium script is saved as a .html file.


One of the key things to understand about Selenium is that it functions at the browser level.  What happens on the server side is unimportant.  To illustrate, the underlying technology in SSO may be SAML, OAuth, CAS, or something else.  As a user with a browser, the underlying technology doesn't matter to what you're trying to do, so it doesn't matter when playing back Selenium scripts either.


Now let's look at a Selenium authentication script for the above scenario.  It's really quite simple.  Here is a screenshot of Qualys Browser Recorder with the script loaded.



You can find the script itself attached to this article.  There are only 5 commands in the script and there is nothing that references "sso.company.com".  It's not needed because after the initial open command, an automatic redirection to the login page on "sso.company.com" occurs.  The "waitForElementPresent" command tells Selenium to wait until an element called "txtUsername" (the username input field) is seen in the DOM of the page.  Essentially, this command gives time for the redirection to happen and the page at https://sso.company.com/login to fully load and render.


The next three commands in the script enter the username and the password and submit the form by clicking on the login button (the "btnLogin" element).  Nothing else is needed because a successful login results in a seamless and automatic redirection back to the web app you're trying to scan, namely WebApp ABC.


Once the script is working in Chrome, open Qualys WAS and upload the script (.html file) into the web app's authentication record.  To test the authentication in WAS, either launch a discovery scan or run Test Authentication on the web application.


Tip #1:  Always make sure your Selenium script plays back successfully in Qualys Browser Recorder (QBR) in Chrome.  If it doesn't work in QBR, it is not going to work in your Qualys WAS scan.


Tip #2:  If your web application does not function in Chrome at all, install the User-Agent Switcher browser extension.  This extension allows you to change your user agent string and pretend to be a different browser.  This is not guaranteed to overcome the issue, but it's certainly worth a try.  Also note the WAS option profile allows you to set the user agent used by the scanner.


Finally, feel free to watch a video about WAS and Qualys Browser Recorder if you want to learn more.

7 people found this helpful