HTTP Credential Mapping

The HTTP Credential Mapping page enables Administrators to define how a password-protected website expects credentials from a user. When you configure an HTTP Credential Mapping, you can then create an HTTP or HTTPS Service that injects the information stored on an HTTP Credential Mapping into a website.

This document contains the requirements and process to configure an HTTP Credential Mapping, associate a credential to the HTTP Credential Mapping, and create an HTTP or HTTPS Service that automatically injects credentials into a web server.

Requirements

To configure an HTTP Credential Mapping, you must meet the following requirements:

  • You are an administrator of your server.

  • Your server version must be version 23.1.8 or higher.

  • You already installed the Certificate Installer from your server.

  • Your PAS server's cfg_property must have the audit.http.disable flag set to false.
    This flag is also known as the HTTP Audit Man-In-The-Middle.

  • You must have introductory knowledge to your web browser's development tools and HTML code.

If you do not meet these requirements, your HTTP Credential Mapping configuration will fail.

How to Configure HTTP Credential Mapping

Find the HTTP Credential Mapping menu by hovering the Credentials menu in the System Admin tab. From this page, you can create a new HTTP Credential Mapping. The displayed form requires several details from a website. Ensure that you keep your PAS server window open with this form, as you need to complete the form considering the following:

  • HTTP Credential Mapping Settings

    • Name: A custom, identifiable name for the HTTP Credential Mapping you are configuring.

    • Login POST Request URL: The web address used to send the credentials data to the website's server

    • Login Page URL: The web address that contains the log in form for the website.

  • HTML Elements

    • Username Input ID: The HTML unique identifier for where the user inputs their ID.

    • Password Input ID: The HTML unique identifier for where the user inputs their password.

    • Login Form ID: The HTML unique identifier for where the log in form is.

    • Login Button ID: The HTML unique identifier for the button that sends the credentials.

The following sections provide useful guides on how to obtain each element of the HTTP Credential Mapping form.

To follow all the guides and obtain the required information follow these initial steps:

  1. Open the log in page of the website in a new browser window.

  2. Open the right-click menu for the web page.

  3. Click Inspect.
    The browser DevTools pane opens in your browser.

From the DevTools pane, you can find the required information for the HTTP Credential Mapping form. In the following sections, locate the menu of the DevTools pane where you can find the information.

To find the Login POST Request URL:

  1. Open the Network tab of the DevTools pane in your browser.
    This tab is located at the top of the DevTools pane.

  2. Clear the existing network log.
    Depending on the browser, the button might be located in the top left of the DevTools pane, as a circle and cross icon.

  3. Send a mock attempt to login by typing "test" as a username and password.
    This step triggers the POST Request.

  4. Locate the table of network events and activity in the DevTools pane.
    It contains table headings with Name, Status, Type, Initiator, Size, and Time columns.

  5. Find the POST Request with the following steps:

    1. Click the first row in the Name column.
      This opens a second the name's column pane with several tabs.

    2. In the Headers tab, under General, verify that the Request Method is POST.

    3. Go to the Payload tab.

    4. Confirm that the "test" credentials appear as payload.

    5. If both conditions are met, return to the Headers tab.

    6. Locate the Request URL under General.

  6. Copy the POST Request URL.
    Ensure that you only copy the section after the website common name. For example, do not copy www.website.com/login.action Instead, copy /login.action

  7. Paste the POST Request URL in the form using the following format:
    (.*)/sample.login.post.request.url(.*)
    If you do not use this format, the configuration might fail.

To obtain the Login Page URL:

  1. Open the website that you want to configure.

  2. Verify that the page in your browser contains a form to log in.
    The log in form usually has a text box for an email or username, a text box for a password, and a button to Log In.

IMPORTANT:
It is essential that you use the specific log in page to extract the Login Page URL. From the log in page, you will also extract the HTML Elements in the following sections.

The Login Page URL is located in the navigation bar of your web browser. To extract it:

  1. Click the navigation bar of your browser, which contains the web address.
    The complete address might look like the following example:
    http://www.website.com/login.action

  2. Identify the following two sections of the web address:

    • Domain: The section of the address that contains the site's name. For example: www.website.com.

    • Path: The section of the address that contains the page. For example: /login.action.

  3. Copy the path section of the address.
    In the example, the /login.action section.

  4. Paste it in the Login Page URL text box of the form, using the following format:
    (.*)/login.action(.*)

The HTTP Credential Mapping configuration form requires four HTML elements from the Login Page of the website you are configuring. The following sections provide steps to obtain them. To complete the extraction of the HTML elements, you must open the DevTools pane with the Inspect option of the right-click menu. Ensure that you navigate the DevTools pane in the Elements tab.

The Username Input ID, Password Input ID, and Login Button ID are HTML tags that identify and label the username textbox, password text box, and log in button in the website's log in page.

You can obtain these attributes by following the same steps:

  1. Right-click the element you need to obtain.

  2. Click Inspect.
    The DevTool pane highlights the section that contains the element.
    You can repeatedly right-click and Inspect the element to re-locate it in the DevTools pane.

  3. Locate the <input> tag.
    This tag might be inside several <div> tags and contain several attributes inside.

  4. Locate the id attribute inside the <input> tag.

  5. Copy the id attribute.

  6. Paste the id attribute in the HTTP Credential Mapping form.
    Ensure that you do not add or remove characters, including spaces.

IMPORTANT:
If the website does not have <input id="sample"> tag and attribute for the Username Input ID, Password Input ID, and Login Button ID elements, continue to save the HTTP Credential Mapping form without HTML Elements and read the Manual Credential Injection section of this document.

Login Form ID

Unlike the other HTML elements, the Login Form ID is not located inside an <input> tag, as it is not an element that accepts user input. Instead, it is an HTML container that holds the Username Input ID, Password Input ID, and Login Button ID. To find the Login Form ID:

  1. Open the DevTools pane in the Log In page.

  2. Ensure that you open the Elements tab.

  3. Hover your cursor over the HTML code, while also identifying which parts of the web page are highlighted when you hover.

  4. Use the expand arrows on the left of the code to highlight more specific areas of the web page.

  5. Locate the <div> tag that highlights the entire log in form.

  6. Locate the id attribute inside the <div> tag that contains the log in form.

  7. Copy the id attribute.

  8. Paste the id attribute in the HTTP Credential Mapping form.
    Ensure that you do not add or remove characters, including spaces.

After you finish completing the HTTP Credential Mapping form, click Save and continue to associate a Credential to the HTTP Credential Mapping you created. Read the Add a Secret or Credential section in the Vault or Credentials page.

How to Add HTTP Credential Mapping to a Service

This section contains the process to configure an HTTP or HTTPS Service to use the HTTP Credential Mapping feature to automatically inject credentials into a website during a Session.

HTTP or HTTPS Services are not compatible with all websites. The most common limitations of these services are:

  • You can only configure HTTP or HTTP Services to access internal websites or webservers. Public URL are not compatible with the HTTP or HTTPS Services.

  • The website may be developed in a way that URL tokens are stripped away from the URL on refresh or redirect.

  • The website may scramble or randomize the PAS URL Token by mixing it with other appended URL variables.
    You must use the full, unbroken token for the Services to work.

  • The website may redirect to other domains for credential validation, which cause the credential injection to fail.

  • The website may require a specific certificate to validate and authorize access, which can not be configured in the PAS server.
    Submit a ticket to Customer Support to request information on how to configure a "squid clone" certificate.

  • The website utilizes a login form behavior where the login button is disabled until both fields are clicked or typed into. The HTTP and HTTPS Services simulate a keystroke, but it may not satisfy the programming of all websites.

Read the Manual Credential Injection section to troubleshoot some of these issues.

You can add an HTTP Credential Mapping to a Service when you follow the process of Adding or Editing a Service to an Application. To complete the configuration of adding an HTTP Credential Mapping to an HTTP or HTTP Service:

  1. Open the application that requires the HTTP or HTTPS Service.

  2. Click Edit Services in the View Application page.

  3. Add or edit the HTTP or HTTPS service that your server will be passing a credential for.

  4. Add the Login Page URL Path to the Paths section of the service.
    Read the HTML Elements section of this document.

  5. Verify that the Launch Via field is set to Host name.
    If this field does not appear, Save the Service and then click Edit again.

  6. Click Add in the Credentials section of the service.

  7. Select the HTTP Credential Mapping that you configured.

  8. Click the Save.

The Mapped Credential is now ready to use. When configured properly, launching the HTTP or HTTPS service will open the desired website.

Insert the randomized token ID and Password, and log the user in automatically.

Manual Credential Injection

Some websites are developed in a way that the automatic credential injection cannot work. In this instance, using "Manual Mode" enables the user to copy and paste each part of the token credential one at a time. Use the Manual Credential Injection:

  1. Connect to the Application that has the HTTP or HTTPS Service.

  2. Hover your mouse over the HTTP or HTTPS Service.
    The Description area populates with the credential you added.

  3. Click the eye to expand the credential.
    The Service displays a hidden username, a hidden password, and the View and Copy buttons.

  4. Copy and paste the credentials into the website's login page.
    If the website does not accept the copy and paste credentials, type the credentials manually.

    • Type in the username and password as they appear in the Service.

    • The server intercepts the web traffic and replaces the input credential with the encrypted credential.

NOTE:
A new randomized Token Password is created each time a user connects or disconnects from the VPAM Application.