Absent Member.
Absent Member.
4651 views

Configure a site behind Siteminder

Hello,

 

how can we configure  a scan for a site that is behind Siteminder (SAML)

 

I got an email from one of the user as mentioned below

 

 

 I can see the response for the first request as a redirect (302) to Siteminder login page. Should the tool follow redirects? Is there a way to configure credentials to be automatically input on a web form page? That would certainly solve the problem.

 

 

can someone help me

0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Usually you would record a Login Macro for handling the SSO process.  Pages included in the Login Macro will not be added to the scan, but they will be listed as Disallowed Hosts and otherwise show up under Offsite Links.  The Macro is permitted to load any URL needed for its replay and finally it returns the scanner to the Starting URL you defined in the Scan Wizard, complete with an established session state ready for use.  A Login Macro requires you identify the Logout Condition(s), which may be identified automatically during its creation process but in some cases the user must identify them using a proxy and browser and then add them manually to the Login Macro's Logout Conditions section.  When any one of those Logout Conditions are met (via an innate OR behavior) by a particular HTTP Response during the scan, the Login Macro is re-run, session-state regained, and the scanner continues from where it had lost session state, automatically.

 

If you are dealing with a SOAP web service, the Web Service Design tool should be used to pre-visit and pre-plan the scan, as well as define the necessary WS_Security, SAML, or other certificate security that the service may require of the scanner.  The saved output form this included tool is then used as input during the Web Service Scan Wizard.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.