Verifying SSO Login Webcheck

FWIW: https://www.logicmonitor.com/support/lm-synthetics-overview

So, you’d need the webcheck to actually put in the 2nd factor of authentication?

This is my first time creating any kind of web check, so I’m not exactly sure what you’re asking. I have tried adding the step url and then checked the follow redirect box and have tried adding the redirect url as a separate step in the webcheck. In both of those configurations I checked the authentication required and entered credentials of a domain account that has access. Those steps are successful but I’ve been told to actually verify login worked I need to add something that appears on the homepage after a successful login in the response field. It’s after I configure that step that it fails.

I’m also working on configuring a webcheck to verify successful login to the companies LM portal with SSO. Here is a screenshot from the developer tools. I thought I would use data from the first entry under the Name row with checking the follow redirect and authentication required box and then entering account credentials with SSO access but it fails. 

Ok, for the synthetic check to verify someone can login into your LM portal via SSO, LM will need to answer that question (it’s their responsibility). Ask your CSM to have someone technical respond to this thread with instructions on how to do that.

As for the first web check, FreshService login, let’s get some clarity on what you are trying to test. Depending on how the website works, you can do this the easy way or the hard way.

The easy way: If the website uses basic authentication (i.e. not a web page based login), you can point the webcheck to a page that you must be logged in to see. Set the web check to require authentication and put the credentials in the webcheck (use properties, it’s marginally safer/better). The webcheck will try to pull up the protected page, the server will request basic auth credentials, the webcheck will pass basic auth credentials, the server will log you in and return the credential protected page. From there, you can check for a certain element or object or text on that page or you can just check for an http 2xx status code indicating success.

The hard(er) way: If, when you try to go to a page in FreshService that requires authentication and the webserver responds with an HTML page prompting you to login, you’ll need to do multiple steps. You’ll have to debug the login page and find out what HTTP request (probably a post) is done when you hit the login button. Since you appear to have some experience with the developer tools, you can probably figure this out without too much difficulty (respond here with screenshots for help, redact any private info). You’ll need to define the first step in your request to match that request, passing in the corresponding values for the username and password (and any other fields). Upon successful posting of the credentials, the server should respond with a page that you would only have access to after logging in. You can check for the presence of something on that page or you can look for an http 2xx code indicating success.

Thank you For the response @Stuart Weenig ! I have a ticket open with LM support on testing SSO login to my portal with a webcheck. 

For FreshService I have been asked to verify that the site can be reached and that logging in via SSO is working. When I try to go my account dashboard, my homepage, in FreshSerivce I am redirected to a Microsoft login page where I enter my credentials and then I am successfully taken back to my homepage. So I believe I am stuck with the harder of the two options for a webcheck? Can you clarify which url would need to go in which step? Would step one be the redirected login url and then step two would be the homepage/dashboard configured with something that should appear on the page or http 2xx code?

Ah, you’re stuck with the even more complicated method of the harder hard way, haha. Sorry, that’s not funny to you.

This gets really complicated because your FreshService is using MS as your IdP (SSO provider). So you’d have to configure multiple steps and one of those steps would have to reach out to MS using a service account to get a live token, then use that token to actually log in, then verify that the right content is on the page. You’re talking about Groovy scripting each step and running those tests from one of your collectors. It gets really messy.

Options:

1. Modify the requirement so that you’re testing pieces individually. Test that you can log in with a service account that doesn’t use SSO. Monitor MS SSO some other way. Assume that both working means both would work together.
2. Use Selenium (and the MS SSO plugin) to record you logging in. This will get you started with a Selenium script that you’d have to modify to get a complete login working. You’d then use Selenium grid to execute the transaction and monitor the result with LM. This was supposed to be part of the APM offering. LM may have realized that jumping into APM in the deep end wasn’t a good thing so they’re backpedaling a bit on APM. Ask your CSM about getting help monitoring Selenium. It may be that they can turn on a beta feature for you and monitor it directly, or they could at least provide DataSources (I know they exist) to monitor selenium execution results.
3. Write groovy code to execute each one of the steps and run it as an internal web check (I’ve never built one that complex, not sure many/any have).

tl;dr - LM is only ankle deep when it comes to their published features around synthetics. When you get to something this complicated, you’re sort of on your own, or you have to leverage something like Selenium.

Happy to continue this discussion, but you might want to see what your CSM can do for you first.

@MaddyM Did you get any alternative solution from your LM support ticket?  I have a few Saas apps to set up with the same method and would prefer to not need to set up additional infrastructure if possible.  From what I can tell there is a need to be able to pass information between test steps eg set some session cookies based on the initial responses etc, and then this could be done without synthetics. If there is a feature request we can add a vote to I will gladly do so.