Highlighted
Visitor..
Visitor..
146 views

WebInspect supporting the use of OIDC?

I have been trying to perform an authenticated scan and my web application uses PKI certificates that are verified by Keycloak using OIDC. Does WebInspect support the use of OIDC when performing an authenticated scan of a web application?

0 Likes
2 Replies
Highlighted
Micro Focus Contributor
Micro Focus Contributor

Re: WebInspect supporting the use of OIDC?

Webinspect support SSO applications including OIDC, however, each application and environment is different. It therefore depends on how it is all setup and the issue you are facing. Is there ADFS involved, is there a Firewall on the Client or Server side?

Do you have a Support Ticket? If not, I would recommend to open a support ticket, if you already have a support ticket, please follow up the support case.

Hersh

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: WebInspect supporting the use of OIDC?

Hersh is correct, this can be complicated based on how your environment and target application is configured.  A Support Case may get you more direct assistance.

 

I will point out that you will want to review the Authentication settings panel found under the Edit menu > Default Scan Settings.  By enabling the Certificate option, you will then select the necessary client certificate that WebInspect will use to authenticate automatically.  If a PIN# is required to unlock the certificate, that can also be entered here.  Below are some links to the product documentation covering these items.

What should occur after this configuration is that WebInspect will fetch the certificate, unlocking it as needed, and it will then submit that to the authentication challenge for the web site target as needed.  If your client certificate is stored on a hardware token, e.g. USB key, then that will need to be physically inserted into the WebInspect machine throughout the scan, to ensure the certificate can be used whenever it is called.  This means you may not be able to pull out your key card and head to lunch during the WebInspect scan!   😉

This PKI configuration works best when the PIN# is static and unchanging.  If you are instead dealing with a token that generates a dynamic, changing PIN#, then you may need to review WebInspect configuration for Interactive Mode.  It may be necessary to have WebInspect query the user with a browser pop-up anytime the certificate is a called.  when that occurs in that scenario, that individual scanner Requestor thread will Pause waiting on your human input (the current PIN#), before it can Resume.  So you can see why contacting Fortify Support (https://softwaresupport.softwaregrp.com/) may be helpful, depending on this specific situation.

 

 

 


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.