cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multi-factor authentication for synthetics

AK
Pro

Hi Team,

Its been a while, we are struggling to configure synthetics for application which uses multi factor or two factor authentication and we have more than 10 such application which uses MFA.

I went through some threads, where they suggested to skip is for the UserID which is used for synthetic.

However, from security standpoint its not feasible.

What I was thinking is, pick the PIN from email ID and use it or get the PIN from text file stored on some host/ActiveGate and use it.

Is it something that is doable/achievable with our synthetics?

Regards,

AK

12 REPLIES 12

AntonioSousa
DynaMight Guru
DynaMight Guru

There are issues with MFA whatever type of synthetic you use.
Now, if you've got your PIN in an email, and are able to put it in a file, you're halfway done.

The other half involves getting the script to read that value. Your aim should be able to get it with Javascript. It also depends on you using public or private locations. You will not be able to load a file onto a public location, but you could do it in a synthetic Activegate. There you could read it from the script. If on a public location, you could upload the PIN to a secret location and get it from there. There would be several issues involved, including probably getting the HTTP to stay stuck before the PIN arrives.

Of course, be careful with all this, as this will defeat MFA in the first place...

Antonio Sousa

Hello Antonio,

I went through some forums but it seems, JavaScript cannot access the local files from the user's device directly we need to provide the user with a way to select files to use and HTML file input element must be used.

Do you have any other way around, I would need your help here to write JavaScript code.

Regards,

AK

AntonioSousa
DynaMight Guru
DynaMight Guru

Yes, normally you can't read from the local disk by Javascript, as it would be a security disaster.

So, for the read to work, you would have to reconfigure the browser and use special Javascript. Not sure if Dynatrace would block anything of it, and to be clear, I have not worked this out myself. Of course, to do this, you have to run your private synthetic location, and do the tweaking. This will be unsupported by Dynatrace, of course, as you are really hacking it out...

The other way I imagine it can work, without files, is getting it through a webservice or other type of HTTP call, to a web server that would give the reply. It would be a blocking call to that service, that would reply once the MFA value is known. You could then get the value into the Dynatrace synthetic script, and run it from there. Please beware of the multiple security risks involved...

Antonio Sousa

Hello Antonio,

Somehow I'm able to get the PIN via API.

- Steps I followed while recording are,

1. Loading of main URL

2. Login with credentials

3. PIN generation page appear

4. Access API URL in new tab which has PIN value

- Custom Steps are, (not configured yet)

5. Add JavaScript step to fetch the PIN value and save the value

6. Pass the value to on PIN generation page

Now the problem is, when we playback this script, API URL entered in 4th step never get launched in new tab. Instead of that, it launches in same window and this is making difficult to configure 5th and 6th steps.

Regards,

AK

In the 3rd step, besides loading the page, you should include a XHR request that gets the data. If you launch a new page, or leave that page, I believe you will not be able to go back.

You should probably follow the example laid out in the following help page:

https://www.dynatrace.com/support/help/how-to-use-dynatrace/synthetic-monitoring/browser-monitors/br...

Antonio Sousa

Hi Antonio,

Thanks for your help, much appreciated. The solution worked perfectly fine.

Regards,

AK

Aby
Newcomer

Hello AK,

I am working on a similar case where I need to set up Browser monitoring involving Log in with Single Sign-on and MFA. We were thinking of a solution using the secret key option with Microsoft authenticator app which is consistent with each time of log in.
I was referring your post and would like to try this out. I am not a JavaScript expert and I am new to Dynatrace too. Could you please share the script that was used to manage the MFA part so that I can try implementing this solution.

Thanks in advance!

 

HannahM
Dynatrace Leader
Dynatrace Leader

You can use the fetch from herehttps://www.dynatrace.com/support/help/how-to-use-dynatrace/synthetic-monitoring/browser-monitors/br... to get your token. If you need to add headers, you could do it like this:

api.startAsyncSyntheticEvent();
fetch('<yoururl>', {
    method: 'POST',
    headers: {
        'content-type': 'application/json',
        'Access-Control-Allow-Origin': '*',
        'Access-Control-Allow-Headers': 'X-Requested-With'
    }
}).then(function(response) {
        if (!response.ok) {
            throw Error(response.status + ":" + response.statusText);
        }
        return response;
   }).then(response => response.text()).then(text => {
        try {
            api.info('Resp length:  ' + text.length);
            if (text.indexOf('code') >= 0) {
                <your code to retrieve token>
                api.setValue("token", token);
                api.finish();
            } else {
                api.fail("Invalid Response");
            }
        } catch (err) {
            api.fail("Failed to Execute");
        }
   }).catch(function(error) {
        api.fail(error); 
   });

You can then use the variable token later, either by calling api.getValue(token) in a javaScript event or {token} in a field. More info here

Synthetic SME and community advocate.

rohan1shah
Contributor

Hello, I tried using the same code for GET function. I am trying to retrieve password of a CyberArk account from a vault but it seems that I keep getting the "Playback error: TypeError: Failed to Fetch" when I run the below. I can confirm it is not a connection/firewall issue. 

When executing the synthetic event, browser console shows WARNING - "WEB-APP logger error: The message port closed before a response was received."

Any Suggestions?

 

 

api.startAsyncSyntheticEvent();
var token;
var requestOptions = {
    method: 'GET',
    headers: {
        'content-type': 'application/json',
        'Access-Control-Allow-Origin': '*',
        'Access-Control-Allow-Headers': 'Origin, X-Api-Key, X-Requested-With, Content-Type, Accept, Authorization',
        'Access-Control-Allow-Methods': 'GET,PUT,POST,DELETE',
        'Access-Control-Allow-Credentials': 'true'
    },
};

fetch("https://ccp.bmogc.net/AIMWebservice/api/Accounts?Folder=Root&AppID=CCP_TEST&Safe=CCP_TEST&UserName=CCP_TEST_ACCOUNT", requestOptions)
    .then(response => response.text()).then(text => {
        try {
            api.info('Resp length:  ' + text.length);
            if (text.indexOf('code') >= 0) {
                api.setValue("token", text);
                api.finish();
            } else {
                api.fail("Invalid Response");
            }
        } catch (err) {
            api.fail("Failed to Execute");
        }
    }).catch(function(error) {
        api.fail(error);
    });

 

 

 

 

 

Does the same request work from Postman etc.? @rohan1shah

Synthetic SME and community advocate.

We solved this using the new Credential Vault connection to Cyberark. the one problem we still face is the HTTP monitor running every 1 hour to pull credentials from Cyberark randomly starts failing for a couple executions with NULL responses and then starts working again. This not only creates unnecessary alert noise but also there is no root cause we are able to find for this intermittent failure (1-2 out of 20-24 executions will fail).  

Thanks for letting us know. I would recommend opening a chat or support ticket to find out why there is an intermittenet failure. 

Synthetic SME and community advocate.

Featured Posts