Skip to content

2.6 Web Authentication Methods

Implement common web authentication methods when testing web applications.

Overview

Enterprise web applications typically require authentication for access. Implementing and testing various authentication methods is crucial for security and functionality. Comprehensive web application testing should support multiple authentication mechanisms to effectively evaluate HTTP requests, page loads, transactions, and APIs.

Preparing for the Exam

While the exam focuses on ThousandEyes-specific authentication knowledge, a general understanding of web authentication principles is expected. This includes familiarity with protocols like SAML, OAuth, and OpenID Connect, as well as concepts such as token-based authentication and session management.

Key Concepts

  • Single Sign-On (SSO)

    Enables users to access multiple applications with one set of login credentials.

  • Multi-Factor Authentication (MFA)

    Requires users to provide two or more verification factors for enhanced security.

  • Security Assertion Markup Language (SAML)

    A standard for exchanging authentication and authorization data between an identity provider and a service provider, enabling SSO.

  • Basic Authentication

    Transmits usernames and passwords in plain text, encoded with Base64.

  • NTLM Authentication

    A suite of Microsoft security protocols for user authentication.

  • Kerberos Authentication

    Uses secret-key cryptography and a trusted third party for secure authentication.

  • OAuth Authentication

    An open standard for access delegation, granting limited access to user data without sharing passwords.

  • OpenID Connect

    An authentication layer on top of OAuth 2.0 for verifying user identity and obtaining basic profile information.

Authentication Methods and Test Types

The relationship between authentication methods and test types in ThousandEyes is important to understand for effective monitoring. Different test types support various authentication methods:

  • HTTP Tests: Support Basic, NTLM, Kerberos, and OAuth authentication methods. For two-step OAuth scenarios, custom headers can be configured to accommodate more complex authentication schemes.

  • Page Load Tests: Support the same authentication methods as HTTP Tests, including Basic, NTLM, Kerberos, and OAuth. Note that SSO and MFA are not directly supported.

  • Transaction Tests: Offer the most flexibility, allowing scripted interactions to handle complex authentication flows, including multi-step processes and dynamic challenges.

  • API Tests: Authentication settings are configured in the API Step Builder for each step, which is different from other test types. API Tests support Basic (RFC 7617) and Bearer (RFC 6750) HTTP authentication schemes.

Preferred Authentication Methods in Different Scenarios

The choice of authentication method often depends on the specific requirements of the application and the security needs of the organization:

  1. Single Sign-On (SSO): Preferred in enterprise environments with multiple applications, as it improves user experience and centralizes access control. ThousandEyes supports SSO testing, which is crucial for ensuring seamless access across integrated systems. For more information on implementing SSO in ThousandEyes tests, check out the guide on Transaction Test SSO Support.

  2. Multi-Factor Authentication (MFA): Recommended for applications handling sensitive data or requiring high security. While MFA enhances security, it can complicate automated testing. ThousandEyes provides ways to handle some forms of MFA in transaction tests, as detailed in the Working with Secure Credentials documentation.

  3. API Key Authentication: Often used for machine-to-machine communication and is well-suited for API tests. ThousandEyes API tests can be configured to use API keys, as shown in the API Test Use Cases documentation.

  4. OAuth and OpenID Connect: Preferred for applications that need to access user data from third-party services without handling passwords directly. These methods are particularly useful in transaction tests simulating user interactions across multiple services.

ThousandEyes-Specific Implementations

Note: When implementing authentication in ThousandEyes, always refer to the most up-to-date documentation, as features and supported methods may evolve. The Test Settings for Page Load and Transaction Tests provides comprehensive information on configuring authentication for different test types.

Platform-specific considerations:

  • Credential Management: ThousandEyes provides a secure credential store for managing authentication information used in tests. This feature is unique to the platform and crucial for maintaining security in automated testing scenarios.

  • Agent-Specific Settings: Some authentication methods, like Kerberos, require specific configuration on ThousandEyes agents. These settings are managed through the ThousandEyes interface and may differ from standard implementations.

  • Custom Scripting: For complex authentication flows, ThousandEyes transaction tests allow custom JavaScript to handle unique scenarios that may not be covered by standard authentication methods.

To learn more about configuring these ThousandEyes-specific features, consult the Working with Test Settings guide.

Hands-on Activities

Activity 1: Explore Authentication methods available for web tests

  1. If you haven't, sign up for a ThousandEyes trial here: https://www.thousandeyes.com/certificationsignup.
  2. Go to Cloud & Enterprise Agent > Test settings > Start monitoring > Start with a single test.
  3. Select Web.
  4. All authentication settings will be available in the Advanced Settings tab.
  5. What are the schemes available for HTTP Server, Page Load and Transaction Tests?
  6. What are the parameters required by each different authentication method (Basic, NTLM, Kerberos, OAuth)?
  7. Configure an HTTP Server test towards the ThousandEyes API (https://developer.cisco.com/docs/thousandeyes/overview/).
    • For example, the agents endpoint will return a list of ThousandEyes Agents available: URL: https://api.thousandeyes.com/v7/agents.
    • In Advanced Settings > Scheme: None > Custom Headers > Root Request > Authorization: Bearer your-oauth2-bearer-token
    • Go back to the Basic Configuration settings and after selecting the interval and agents click on Create New Test.
  8. In Views, select your test name and review the results of the test for web and network layers and for each of the metrics available as well as the path visualization view.

web-authentication-activity-1

Figure 2.6-1: Web Authentication Methods Activity

Resources

Sample Questions

2.6 Question 1

An engineer needs to create a test that requires authentication configuration to monitor an API. The test must send a POST request with client credentials parameters to get a token. The token then needs to be sent out on a GET request to be authorized to get the resource. What must be done to meet the requirements? (Choose two)

  • A) Configure the HTTP server test to use Basic authentication for client credentials
  • B) Configure the HTTP server test to use NTLM authentication for client credentials
  • C) Configure the HTTP server test to use OAuth authentication for client credentials
  • D) Parameters are not supported by HTTP server OAuth authentication; use a Transaction script instead
  • E) Parameters are not supported by HTTP server OAuth authentication; use an API test instead

HTTP Authentication Options

Exhibit 2.6-1: HTTP Authentication Options

2.6 Question 2

You are tasked with creating a ThousandEyes transaction test to monitor the login process of a web application that uses SAML-based SSO with MFA. The MFA step involves a one-time password (OTP) generated by a mobile app. How can you configure the ThousandEyes test to successfully navigate this login process?

  • A) Configure the test to automatically enter the OTP from the mobile app.
  • B) Manually enter the OTP in the test configuration each time it changes.
  • C) Use a ThousandEyes webhook to retrieve the OTP from a third-party service.
  • D) Exclude the MFA step from the transaction test and focus only on the SAML login.

2.6 Question 3

You are investigating intermittent failures in a ThousandEyes transaction test targeting a web application that uses Basic Authentication. The failures occur randomly across different agents and times of day. What steps would you take to troubleshoot and resolve the issue? (Select all that apply)

  • A) Disable Basic Authentication in the test configuration to isolate the problem.
  • B) Verify the correctness of credentials by manually logging into the application from different locations.
  • C) Analyze the ThousandEyes waterfall charts and HTTP response codes to identify potential bottlenecks or errors.
  • D) Contact the web application vendor to report the issue and inquire about possible server-side problems.