How to automate SSO authentication

I am wondering how one might automate logging into some system protected by SSO (single sing-on). I say SSO because in SSO, when you enter a URL of the page you want to log into, often you are re-directed to a totally different URL which is the SSO login page (whose URL often contains a long, dynamic string such as session ID). After the successful authentication, you are back to the original URL.

I haven't used QTP in years so I am not sure if it can automate this sort of authentication, but I know that QTP could automate non-SSO type of authentication by recording & reply.

I don't really want to have to use a pricey tool like QTP even if SSO authentication automation is possible with it. Is there a way to do this via Java, Groovy, expect, or any other language or free tool ?

Thanks.

I'm unfamiliar with QTP, and not sure what else you need to automate, but the premier library to automate web access in Java is HtmlUnit. It supports redirection, cookies and URL parameters.

Jean Robillard wrote:I am wondering how one might automate logging into some system protected by SSO (single sing-on).

I hate to sound old-hat, but what form of "single sign-on"? I remember, back in the day, when Kerberos was touted as a "single sign-on" solution (and it's free), but certificates (and possibly even newer stuff) seem to have taken over, especially in the browser arena.

So, is this "SSO" proprietary? If so, I fear you may need to fork out some cash. If not, and this SSO site really does support any form you like, then there are a myriad ways of doing it.

Winston

The redirecting sounds more like SAML to me.

Jean Robillard wrote:I say SSO because in SSO, when you enter a URL of the page you want to log into, often you are re-directed to a totally different URL which is the SSO login page (whose URL often contains a long, dynamic string such as session ID). After the successful authentication, you are back to the original URL.

But this is a description of numerous login systems which wouldn't be described as SSO. When you say SSO you're specifically referring to a system where you can login to several different systems using a single set of credentials, and logging into such a system may or may not preserve the useful bits of the original URL.

So discussing this under the heading of SSO is probably a distraction from the actual requirements. It looks like Ulf's response is the best starting point for further discussion.

Rob Spoor wrote:The redirecting sounds more like SAML to me.

I agree.

We use Shibboleth based on SAML for Single Sign On. There is also a kerberos/LDAP back end that drives the whole thing.

If the OP's set up is like that there is ECP (see https://wiki.shibboleth.net/confluence/display/SHIB2/ECP) which is a bit complicated but the Shib site has some working examples.

If kerberos is involved you can get a keytab (and be responsible for its security) that allows password free log in. Although we are having an issue with this because LDAP doesn't have any attributes to pass for these tickets.

We do need more info on what SSO system you are using.

Joe