AnsweredAssumed Answered

API Authentication

Question asked by derekv on Jul 26, 2019

Qualys, 

 

Are we anywhere near closer for you guys to allow us to do api authentication in a different manner?

 

Most ideal to me would be you guys aligning with the majority of other vendors out there with apis and simply allowing us to use an API token (that only changes if we revoke it and generate a new one)?

 

It irks me that I still have to play this game of changing my password for my api account on a X frequency because you won't let me treat that account as different... And yes, I have been told multiple times to implement SAML and I can remove the password policies for local accounts... I get it. That is a goal for us, but we are not there yet.... This request for better handling api authentication has been around since 2011... Yes, let that sink in. 2011

https://discussions.qualys.com/thread/9237?commentID=44798#comment

 

Slightly disappointing that you guys still have failed to address this issue after so many years.

 

If you don't have the saml integration, going 100% automated is rather difficult... Even with the password change api call, I still have to then script something to get the email from an inbox, navigate to the provided url, scrape the webpage for the password, and change the variable in my script (or however I am calling said password variable may it be an environment variable or from a secondary file).... This implementation introduces so many more variables that could break/cause problems... Would love to see you guys make life easier by just doing a token/key set up. Or allowing for password policy exclusions on an account by account basis. 

Outcomes