Configure a site behind Siteminder
how can we configure a scan for a site that is behind Siteminder (SAML)
I got an email from one of the user as mentioned below
I can see the response for the first request as a redirect (302) to Siteminder login page. Should the tool follow redirects? Is there a way to configure credentials to be automatically input on a web form page? That would certainly solve the problem.
can someone help me
Usually you would record a Login Macro for handling the SSO process. Pages included in the Login Macro will not be added to the scan, but they will be listed as Disallowed Hosts and otherwise show up under Offsite Links. The Macro is permitted to load any URL needed for its replay and finally it returns the scanner to the Starting URL you defined in the Scan Wizard, complete with an established session state ready for use. A Login Macro requires you identify the Logout Condition(s), which may be identified automatically during its creation process but in some cases the user must identify them using a proxy and browser and then add them manually to the Login Macro's Logout Conditions section. When any one of those Logout Conditions are met (via an innate OR behavior) by a particular HTTP Response during the scan, the Login Macro is re-run, session-state regained, and the scanner continues from where it had lost session state, automatically.
If you are dealing with a SOAP web service, the Web Service Design tool should be used to pre-visit and pre-plan the scan, as well as define the necessary WS_Security, SAML, or other certificate security that the service may require of the scanner. The saved output form this included tool is then used as input during the Web Service Scan Wizard.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify