Using AppScan with a SSO (Single Sign On)
上一篇 /
下一篇 2010-08-11 15:27:48
/ 个人分类:IBM Appscan Security Scan
|
| | | Problem(Abstract) | | Sometimes when a user tries to access their application, they are redirected to a SSO to authenticate. How can AppScan be configured to handle this? | | |
|
|
| Resolving the problem |
1) If the site is configured to redirect from the application to the SSO, then back to the application after login, follow these steps:
- Set the starting point to the application.
- Record a login sequence (includes the request to the first page, the redirect to the SSO login page, and the return to the first page).
- Run the scan.
2) If the site is configured in such a way that you first need to visit the SSO, then after logging in it redirects you to a page where a link exists for the target application, follow these steps:
- Set the starting point to the SSO login page.
- If the SSO is on a different domain, add the target application's domain to the "Additional Servers and Domains" list.
- Restrict the scan in the Scan Configuration to the application you want to test if you do not want the SSO to be included as part of the test phase.
- Record a login sequence.
- If the SSO was excluded in the Scan Configuration, start the scan with a Manual Explore, navigate to your application, then continue with a Full Scan.
- Note: Uou can avoid predefining your Exclusions and Inclusions before the explore phase. To do this, start with an explore and when complete, right-click the folders/pages that you would like to "Exclude from scan" or "Include in scan", then continue with the test phase which will respect the changes and only scan what has been included.
|
收藏
举报
TAG:
