This depends on the process required to log in. The answer is usually yes, but the complexity of the work involved can vary.
The easiest way to think about it is to ask how a human would log in. AppCheck will access your application via the public internet (unless using a private scan hub) using a web browser. If a human user in this position could log in then the likelihood is that AppCheck can too. However, if additional tools are required, such as 3rd party software or a phone to receive text messages, then AppCheck will be unable to log in.
Most SSO platforms provide a login page which can be accessed when browsing to the application when not already authenticated. In the simplest cases a user, or the AppCheck scanner, can simply log in with these forms.
Some SSO platforms make it more complicated. For example, Google demands verification via a one-off Multi-Factor Authentication (MFA) process when first accessing an account from a new client machine (such as an individual AppCheck scanhub). This will require configuring your scan with a complex GoScript which not only handles the MFA (see Can I run authenticated scans of applications protected by Multi-Factor Authentication (MFA/2FA)?) but also uses conditional logic to handle the differences in the login process it will see depending on whether it is logging in from a given server for the first time (see Conditional Logic in GoScript). If your application supports a method of authentication other that SSO this will likely be easier to configure.
In the rare situation where no login form is accessible authentication may still be possible, for example using a permanent token (sent as a header) which can be added to the scan configuration, but this would need to be supported by the scanned application's developers.
Comments
0 comments
Article is closed for comments.