Can I use SSO to sign in to AppCheck?
This is not currently supported. If this feature would be valuable to you please raise a ticket with AppCheck Support and we will add your name to the feature request. We cannot promise at this time if or when this will be selected for implementation, but letting us know you are interested helps us to prioritise future development.
Can I scan applications that use SSO?
This depends on the process required to log in. The answer is usually yes, but the complexity of the work involved can vary.
The easiest way to think about it is to ask how a human would log in. AppCheck will access your application via the public internet (unless using a private scan hub) using a web browser. If a human user in this position could log in then the likelihood is that AppCheck can too. However, if additional tools are required, such as 3rd party software or a phone to receive text messages, then AppCheck will be unable to log in.
Most SSO platforms provide a login page which can be accessed when browsing to the application when not already authenticated. In the simplest cases a user, or the AppCheck scanner, can simply log in with these forms.
Some SSO platforms make it more complicated. For example, Google demands verification via a one-off Multi-Factor Authentication (MFA) process when first accessing an account from a new client machine (such as an individual AppCheck scanhub). This will require configuring your scan with a complex GoScript which not only handles the MFA (see Can I run authenticated scans of applications protected by Multi-Factor Authentication (MFA/2FA)?) but also uses conditional logic to handle the differences in the login process it will see depending on whether it is logging in from a given server for the first time (see Conditional Logic in GoScript). If your application supports a method of authentication other that SSO this will likely be easier to configure.
In the rare situation where no login form is accessible authentication may still be possible, for example using a permanent token (sent as a header) which can be added to the scan configuration, but this would need to be supported by the scanned application's developers.