Monitoring Services with Multi Factor Authentication and ASM
search cancel

Monitoring Services with Multi Factor Authentication and ASM

book

Article ID: 145041

calendar_today

Updated On:

Products

CA App Synthetic Monitor

Issue/Introduction

We have some ASM monitors that use scripts to monitor internal websites. Some of these sites have moved to our central SSO which uses 2-step authentication.
 
Is it possible to use ASM to monitor these sites?
 
 

Environment

Release : 10.1

Component : ASM

Resolution

MFA aims to improve security by requiring a user to supply, in addition to login credentials, some other information obtained through a secondary, out-of-band channel (typically email, SMS, OTP generator...).
For MFA to fulfill its purpose, the following conditions must be satisfied: 
a) information obtained through the secondary channel is valid only for the duration of a single authentication session and cannot be reused for subsequent attempts.
b) the secondary channel must not be accessible by anyone except the user that is being authenticated.
 
For the reasons stated above, it is not possible to use an automated monitoring agent such as ASM to securely login to a service that requires MFA.  This is not a limitation specific to ASM - it applies to synthetic monitoring in general.
 
Theoretically, one could get through the MFA login if they gave the monitoring agent access to the secondary channel - typically, this would involve redirecting an email with an authentication token to the monitoring station, where the agent can pick it up.  
But this solution violates point b), so it's no more secure than not using MFA at all.
 
Instead, the recommended practice is to create a special locked-down account for monitoring, with MFA disabled. The account should not be used for any other purpose, and should have access only to the minimum functionality necessary for monitoring the service. If possible, the account should be accessible only from the monitoring station.


SAML is now officially supported for ASM logins. Individual accounts can be configured to use single-sign-on using your corporate standard. Contact Broadcom support if you want to enable login through your identity providers.
Two-factor authentication can be enabled for any account through User Preferences, Security Settings. You then need an RFC6238-compliant mobile application such as Google Authenticator or FreeOTP to be able to log in. This option becomes disabled, when the account is configured to use SAML.