Docs feedback: Clarify SSO support with DAST
Problem to solve
The Authentication section of the DAST documentation does not clarify whether SSO is supported. The Problem Validation: DAST: Viable to Complete (#212238 - closed) issue suggests that SSO is supported.
Summarizing the conversation about this in Slack:
- DAST supports SSO.
- There are caveats. The caveats that we know of presently are:
- If there is a reCAPTCHA on the login form, DAST can not bypass it.
- DAST can not handle multi-factor authentication. (SMS, OTP via authenticator app, etc)
- DAST expects a random value to be set on the browser as local/session storage or a cookie value
- The ZAP documentation suggests making your life easier by disabling or simplifying authentication.
- We say the following about authentication and DAST:
- We highly recommend configuring the scanner to authenticate to the application.
- Never run an authenticated scan against prod: only run an authenticated scan against a test server.
- We say the following about authentication and DAST:
The referenced Slack conversation is available to GitLab team members until approximately early December 2022. As a result, I have captured the relevant bits here.
To close this issue, we should update the docs to:
-
Clarify that SSO is supported with the caveats listed above -
Optionally Make our position on simplifying/disabling auth for DAST clearer
In order for me to do that, I need a bit more clarification on the third caveat.
Further details
Proposal
Who can address the issue
Other links/references
Link the doc and describe what is wrong with it.