How To Bypass SSO in Automation Testing?
SSO stands for Single sign on. The browser may ask for user credentials or may take from windows authentication process. Due to same origin policy , it will never ask for user id and password as long as the user logs in the system. SSO is to prevent unauthorized access from client machine to the server resources.This is due to the solution of multi password issue. But during testing the we need to log, in the same client machine with multiple user credentials as if the real users are working. If the application is SSO enabled, it is not possible as it will always take the original logged in user credentials for opening the application and never switch the profiles. In automation it is a real road block.
The simple SSO workflow is depicted below:
In RSA community as per doc 72967, they have proposed a solution – that is to pass SSO login as false in the url itself.
The link will look like-http://url?SSOlogin=false
unfortunately that solution did not work for us.
on further googling I found one more solution i.e to give username and password in the URL itself. Something like- http://myUserName:[email protected]
The selenium implementation we tried as follows:
WebDriver driver=New FirefoxDriver();
String url="http://"+myUserName+":"+"myUserPassword"+"@"+url;
driver.get(url);
This solution did not also worked. Application keeps logging with old user name
A possible great work around would be to disable the SSO for testing URL. But, for our case, it was not possible. Also it opens up another kind of threats.Not a good solution.
In IBM forum , I have checked , on topic that says “Can I bypass single-signon using batch file or executable file?” The exact problem we were having!!!
The solution given:
- Login with test user log in credential in client box
- Disable integrated windows authentication[Tools->Internet Options->Advanced tab->clear the enable integrated windows Authentication(need to restart the IE)]
- Start the IE session as different user like in command prompt use runas command:
- Open command prompt and navigate IE directory
- give command runas/user:[email protected]_qualified_domain_name iexplore
- When it prompts for password , provide password
Unfortunately, win-7 on wards this feature is not available. It will ask for password and never accept the password.As a result, we could not operate the same.
I got few more spicework.com-
- Deploy a policy that sets the execution policy to remote signing.
- make a .bat file that will open powershell and run command
SQA forum suggested one solution..
1. go to IE->Tools->Options->Advanced->Uncheck the enabled Integrated windows authentication under security. It is good to try but did not work for me.
The next possible solution we have tested is powershell explained in denkingdom.com
@Echo off
SET this_script_directory=%~dpo
SET powershellScriptpath=%this_script_directory% mypoweshell.ps1
powershell_NoProfile_ExecutionPolicy.Bypass_command "&{start_processPowershell_argumentlist"
-NoProfilee -ExecutionPolicy ByPass -File ""%powershellScriptpath%""'-verb.RunAs}"
- Logout button should invoke the logout function which destroys all session tokens or render them unusable.
- Server performs proper check for session check,dishonor any access/request from previous token.
- A time out feature to logout client from server.
While googling on SSO, I came to know it is something to do with Cookies. Once Cookies are getting destroyed, application can return to login screen.But at this point of time our objective was to implement something that can destroy the cookies. To bypass this by using a different log in, we need to reset browser cookie info from browser cookie storage area.
java implementation of deleting cookie:
public void deleteAllCookies()
{
driver.manage().deleteAllCookies();
}
set allCookies=driver.manage().getCookies();
for (Cookie cookie:allCookies)
{
driver.manage().deleteCookieNamed(cookie.getName());
}
Cookies myCookie=new Cookie("myTestCookie","123456789123");
driver.manage().addCookie(myCookie);
to work with the cookie
driver.manage().getCookieNamed(myCookie);
A better approach could be:
Cookies myCookie=new Cookie("name","value")
.domain("your domain")
.expiresOn(new Date(2017,10,15))
.isHttpOnly(true)
.isSecure(false)
.path("/your path")
.build();
driver.manage().addCookie(myCookie);
Deleting Cookies from chrome is different, what we have implemented:
Browser("myUrl").highlight
Set oDelCookies=CreateObject("Wscript.Shell")
oDelCookies.sendkeys"^+{DELETE}"
wait 2
oDelCookies.sendKeys "Enter"
set oDelCookies=nothing
for IE the code to delete the same:
webUtil.DeleteCookies
A better approach could be as follows: This is from stackoverflow here
systemUtil.run "iexplore"
wait 2
clearAllDetails
wait 2
systemUtil.CloseProcessByName("iExplore.exe")Function clearAllDetails
Dim oShell,oExec
Set oShell = CreateObject(“WScript.Shell”)
oShell.run “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1” ‘clearing History
oShell.run “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2” ‘clearing Cookie
oShell.run “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8” ‘clearing Temporary Internet Files
oShell.run “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16” ‘clearing form data
oShell.run “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32” ‘clearing password
oShell.run “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255” ‘clearing All
oShell.run “RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351” ‘clearing everything used in addons
End Function
Clear all chrome stored info via VBS:
set objFSO=CreateObject("Scripting.FilesystemObject")
strAppDataFolder=AQEnvironment.GetEnvironmentVariable("LocalAppData")&
"GoogleChromeUser DataDefault"
set filesInFolder=objFSO.getFolder(strAppDataFolder).Files
set foldersInFolder=objFSO.getFolder(strAppDataFolder).subFolders
for each folder in foldersInFolder
if not ucase(Folder.Name)="EXTENSIONS" and not ucase(folder.name)="EXTENSION STATE" then
folder.delete true
end if
next
for each File in filesInFolder
if not ucase(File.Name)="PREFERENCES" then
File.delete
End if
next
set objFSO=CreateObject("Scripting.FilesystemObject")
strAppDataFolder=AQEnvironment.GetEnvironmentVariable("LocalAppData")&
"MozzilaFirefoxprofiles"
strRomingAppData=AQEnvironment.GetEnvironmentVariable("AppData")&
"MozzilaFirefoxprofiles"
set filesInFolder=objFSO.getFolder(strAppDataFolder).Files
set foldersInFolder=objFSO.getFolder(strAppDataFolder).subFolders
for each folder in foldersInFolder
folder.delete true
next
set foldersInFolder=objFSO.getFolder(strRomingAppData).subFolders
for each folder in foldersInFolder
set filesInFolder=folder.Files
for each File in filesInFolder
if (1,File.Name,"sqlite")>0 then
File.delete
End if
next
next
Now We got how to handle Chrome,IE and Firefox in order to delete cache.. It is time to integrate the same code with Java and call as a first step from our script
public void ClearAll() throws InterruptedException
{
try{
Runtime.getRuntime.exec("Path of the VBS");
}
catch(Exceptipon e)
{
e.printstackTrace();
}}
For salesforce -Rajesh Ramachandra has described a process that is instead of providing http://xyz.salesforce.com provide http://xyz.salesforce.com?login. It will navigate to the login page instead of SSO login.
image credit:https://www.itcompany.com.au
