Header Ads

How To Bypass SSO in Automation Testing?

SSO stands for Single sign on. The browser may ask for user credentials or may take from windows authentication process. Due to same origin policy , it will never ask for user id and password as long as the user logs in the system. SSO is to prevent unauthorized access from client machine to the server resources.This is due to the solution of multi password issue. But during testing the we need to log, in the same client machine with multiple user credentials as if the real users are working. If the application is SSO enabled, it is not  possible as it will always take the original logged in user credentials for opening the application and never switch the profiles. In automation it is a real road block.

The simple SSO workflow is depicted below:

In RSA community as per doc 72967, they have proposed a solution - that is to pass SSO login as false in the url itself.
The link will look like-http://url?SSOlogin=false
unfortunately that solution did not work for us.
on further googling I found one more solution i.e to give username and password in the URL itself. Something like- http://myUserName:myUserPassword@url

The selenium implementation we tried as follows:
WebDriver driver=New FirefoxDriver();
String url="http://"+myUserName+":"+"myUserPassword"+"@"+url;
driver.get(url);
This solution did not also worked. Application keeps logging with old user name

A possible great work around would be to disable the SSO for testing URL. But, for our case, it was not possible. Also it opens up another kind of threats.Not a good solution.




In IBM forum , I have checked , on topic that says "Can I bypass single-signon using batch file or executable file?" The exact problem we were having!!!
The solution given:

  1. Login with test user log in credential in client box
  2. Disable integrated windows authentication[Tools-->Internet Options-->Advanced tab->clear the enable integrated windows Authentication(need to restart the IE)]
  3. Start the IE session as different user like in command prompt use runas command:
  • Open command prompt and navigate IE directory
  • give command runas/user:myUserName@fully_qualified_domain_name iexplore
  • When it prompts for password , provide password

Unfortunately, win-7 on wards this feature is not available. It will ask for password and never accept the password.As a result, we could not operate the same.

I got few more spicework.com-

  • Deploy a policy that sets the execution policy to remote signing.
  • make a .bat file that will open powershell and run command
They were also not effective as we really could not change the policy on login as a admin to use different switch.Also this will not work in highly secured zones. 

One solution given in technibble to use utiman also did not suffice our requirements.Moreover runas command needs admin privilege to run.

The next possible  solution we have tested is powershell explained in denkingdom.com
@Echo off
SET this_script_directory=%~dpo
SET powershellScriptpath=%this_script_directory% mypoweshell.ps1
powershell_NoProfile_ExecutionPolicy.Bypass_command "&{start_processPowershell_argumentlist" -NoProfilee -ExecutionPolicy ByPass -File ""%powershellScriptpath%""'-verb.RunAs}"


Another solution is to deploy a logout button having the following features:

  • Logout button should invoke the logout function which destroys all session tokens or render them unusable.
  • Server performs proper check for session check,dishonor any access/request from previous token.
  • A time out feature to logout client from server.




Developers were little hesitant to implement a new button as it was never told in the requirement itself.
While googling on SSO, I came to know it is something to do with Cookies. Once Cookies are getting destroyed, application can return to login screen.But at this point of time our objective was to implement something that can destroy the cookies. To bypass this by using a different log in, we need to reset browser cookie info from browser cookie storage area.
java implementation of deleting cookie:
public void deleteAllCookies()
{
driver.manage().deleteAllCookies();
}
set  allCookies=driver.manage().getCookies();
for (Cookie cookie:allCookies)
{
driver.manage().deleteCookieNamed(cookie.getName());
}


Now we can create a set of user cookies-
Cookies myCookie=new Cookie("myTestCookie","123456789123");
driver.manage().addCookie(myCookie);

to work with the cookie
driver.manage().getCookieNamed(myCookie);
A better approach could be:
Cookies myCookie=new Cookie("name","value")
                 .domain("your domain")
                 .expiresOn(new Date(2017,10,15))
                 .isHttpOnly(true)
                 .isSecure(false)
                 .path("/your path")
                 .build();
driver.manage().addCookie(myCookie);

Deleting Cookies from chrome is different, what we have implemented:
Browser("myUrl").highlight
Set oDelCookies=CreateObject("Wscript.Shell")
oDelCookies.sendkeys"^+{DELETE}"
wait 2
oDelCookies.sendKeys "Enter"
set oDelCookies=nothing
for IE the code to delete the same:

webUtil.DeleteCookies
A better approach could be as follows: This is from stackoverflow here
systemUtil.run "iexplore"
wait 2
clearAllDetails
wait 2
systemUtil.CloseProcessByName("iExplore.exe")

Function clearAllDetails

Dim oShell,oExec
Set oShell = CreateObject("WScript.Shell")
oShell.run "RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1" 'clearing History
oShell.run "RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2" 'clearing Cookie
oShell.run "RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8" 'clearing Temporary Internet Files
oShell.run "RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16" 'clearing form data
oShell.run "RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32" 'clearing password
oShell.run "RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255" 'clearing All
oShell.run "RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351" 'clearing everything used in addons
End Function





Clear all chrome stored info via VBS:
set objFSO=CreateObject("Scripting.FilesystemObject")
strAppDataFolder=AQEnvironment.GetEnvironmentVariable("LocalAppData")&
"\Google\Chrome\User Data\Default"
set filesInFolder=objFSO.getFolder(strAppDataFolder).Files
set foldersInFolder=objFSO.getFolder(strAppDataFolder).subFolders
for each folder in foldersInFolder
if not ucase(Folder.Name)="EXTENSIONS" and not ucase(folder.name)="EXTENSION STATE" then
folder.delete true
end if
next
for each File in filesInFolder
if not ucase(File.Name)="PREFERENCES" then
File.delete
End if
next

Cleared all Firefox cache/password/cookies in VBS


set objFSO=CreateObject("Scripting.FilesystemObject")
strAppDataFolder=AQEnvironment.GetEnvironmentVariable("LocalAppData")&
"\Mozzila\Firefox\profiles"
strRomingAppData=AQEnvironment.GetEnvironmentVariable("AppData")&
"\Mozzila\Firefox\profiles"
set filesInFolder=objFSO.getFolder(strAppDataFolder).Files
set foldersInFolder=objFSO.getFolder(strAppDataFolder).subFolders
for each folder in foldersInFolder
folder.delete true
next
set foldersInFolder=objFSO.getFolder(strRomingAppData).subFolders
for each folder in foldersInFolder
set filesInFolder=folder.Files
for each File in filesInFolder
if (1,File.Name,"sqlite")>0 then
File.delete
End if
next
next
Now We got how to handle Chrome,IE and Firefox in order to delete cache.. It is time to integrate the same code with Java and call as a first step from our script

public void ClearAll() throws InterruptedException
{
try{
Runtime.getRuntime.exec("Path of the VBS");
}
catch(Exceptipon e)
{
e.printstackTrace();
}

}
image credit:https://www.itcompany.com.au
Powered by Blogger.