Provblems logging into HP Application Lifecycle Management 11.52.634

At work we use "HP Application Lifecycle Management" (ALM) to track issues.
This is a web application running in the Internet Explorer 11.0.9600.18349
When I log me into ALM then 1Password doesn't ask me if the password should be stored in the vault.
When I log into other web apps like "HP Project and Portfolio Management Center" (PPM) then 1Password asks if the password should be stored in the vault.
Is there a trick how I can use 1Password to log me into ALM?


1Password Version: 4.6.0.604
Extension Version: 4.6.0.604
OS Version: Windows 7 Enterprise
Sync Type: Not Provided

Comments

  • Hi @OLLI_S,

    Try saving it manually to see if it helps:

    1. Type in your username and password on the ALM site but do not submit the form yet
    2. Click on the 1Password button in your browser's toolbar and go to Settings > Save New Login

    Try again, see if it works. If not, is this a public-accessible site that we can look at, so we can see how it works?

    If it is not using the standard HTML fields, then 1Password won't work on it, it can only fill the standard HTML forms, not Java applet or ActiveX like that.

  • OLLI_S
    OLLI_S
    Community Member

    When I do this, then 1Password tells me that there "1Password cannot find a login on this page".
    It is an application from HP that is installed on our internal servers, so it is not accessible from your side.
    Does 1Password have a debug switch that provides useful information for you?

  • Hi @OLLI_S,

    When you're on ALM site's login page, what do you see when you right-click onto the login form, the standard menu? Flash, Java or other technologies tend to have a different contextual menu and may show the version information as well.

    Can you try to open it in a different browser to see what error it shows, they may say no Flash player or Java is supported on the page.

  • OLLI_S
    OLLI_S
    Community Member

    Right click on the login form has no effect, there is no context menu.
    When I start ALM in Mozilla Firefox I get the message that only Internet Explorer is supported.
    And I know that they install any Active-X components that are required.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @OLLI_S: I hope you don't mind, but I've moved this to the browser filling category in case there's something we can do on the extension side to improve this. Without knowing the URL so I can test it myself, it's hard to say if that is possible.

    Regardless, I wonder if the Auto-Type feature in 1Password for Windows version 4 may help you here:

    Creating an application login

    In many cases, using Auto-Type will work where 1Password is unable to integrate at all or cannot access text fields (for example, Flash, ActiveX, Java). Let me know if that helps! :)

  • OLLI_S
    OLLI_S
    Community Member

    @brenty
    I use the application login for Steam, so why did it not come in my mind to use it for ALM too.

    I created an application login and added the application (after selecting the Internet Explorer window the text "IEFrame" is shown here).
    When I press the login hotkey Ctrl+# then the following error message (balloon at the system tray icon) is shown:
    1Password could not fill any fields on https://qc.MyCompany.de.awin/qcbin/start_a.jsp
    Note: here I replaced the name of my company with the text "MyCompany".

    When I open 1Password and click on the "Auto-Type" button behind the password, then the password is filled in.
    This woks, but this is not a comfortable solution.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited August 2016

    I use the application login for Steam, so why did it not come in my mind to use it for ALM too.

    @OLLI_S: Ah, likewise! I'll be honest, I forget about Auto-Type sometimes too, because I just use the keyboard shortcut without thinking. Once it's setup, it's pretty transparent. Most of the time.

    When I press the login hotkey Ctrl+# then the following error message (balloon at the system tray icon) is shown:

    1Password could not fill any fields on https://qc.MyCompany.de.awin/qcbin/start_a.jsp

    Note: here I replaced the name of my company with the text "MyCompany".

    Without being able to see it I can't say for certain, but it sounds like you're running into this issue because Internet Explorer does not allow add-ons to access iframe, and for some bizarre reason some websites put the login form on a different page and load it in a frame. This is also the case with Mobile Safari: iOS extensions cannot access iframe there either. Frankly, I think this is a good thing since the user has no way of knowing which website is actually receiving their data if it's cloaked in a frame. And there isn't any way around this apart from the Auto-Type workaround you mentioned. I'm sorry I don't have a better answer for you.

  • OLLI_S
    OLLI_S
    Community Member

    Here my old password manager KeePass works.
    KeePass uses the title in the window to identify the entry.
    I know that this is absolutely not secure and when I have a phishing mail that routs me to www.hacking-bad-domain" but in the browser tab there is "Welcome to your Online Banking" then KeePass would log me in.

    But is this rare case such an option would be fantastic.
    What if you allow the login via the application title?

    Here you could add a Checkbox "Login via the Title of the Website".
    When I activate it, i get a huge red warning that this is very dangerous an only should be used for secure websites.

    But I think that this is too risky, right?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @OLLI_S: It's certainly something worth considering, but you're right that it could pose a risk. For example, if you flag a login to ignore a Watchtower warning, and then you miss future warnings because of that. And certainly any time we add options we need to be careful. They add complexity and — potentially — confusion. Sometimes this is "harmless", but when security is involved, someone misunderstanding what it does could leave themselves vulnerable unwittingly. I'm not sure what the solution may be here, so it's good that we're having this discussion! :chuffed:

  • OLLI_S
    OLLI_S
    Community Member
    edited September 2016

    @brenty:
    You are talking about "ignoring entries in Watchtower".
    Here I suggested "Login via the application title (like KeePass is doing it) to make this single entry work.

    But I see that this would cause too many security problems, so I guess that I will have to login manually (by pressing the AutoType button behind the username and the password).
    The only problem is, that our Admins set the inactivity timeout to less than 30 minutes in HP Application Lifecycle Management, so I have to log in very very often.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed. It certainly sounds like you're a bit stuck there with that policy. :(

  • OLLI_S
    OLLI_S
    Community Member

    Is there any chance that you take the suggestion "identify a process by the windows title" under consideration?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @OLLI_S: I'm a bit confused since we were previously discussing a website, not Windows processes. Are you referring to the 1Password 4 Auto-Type feature now? Depending on how it's enumerated, this isn't always possible, and there are limitations to what 1Password 4 can do given its age. But it's certainly something we'd like to improve as we develop future versions. :)

  • OLLI_S
    OLLI_S
    Community Member

    @brenty: sorry for the confusion.

    When I press in KeePass the hotkey for Autotype, then KeePass reads the application title bar of the current active window (for example "Steam Login") and then looks in his database if there is an entry that matches this window title.
    This is the reason why I can add window titles to an password entry.
    If there is an matching entry found, then KeePass enters the username, simulates the [Tab] key, enters the password and simulates the [Enter] key.

    For websites this is working exactly the same.
    If I go to this forum to the login page and press the hotkey for Autotype in KeePass, then the active application is the web browser.
    Here the text in the application title bar is:
    Sign In — AgileBits Support Forum ‎- Microsoft Edge
    If I would store this information in KeePass then this would only work with the Edge browser, so I am using an "Asterisk" (unfortunately I can not insert an star here) to make it work with all browsers:
    Sign In — AgileBits Support Forum*

    For the web application HP Application Lifecycle Management the Window title is:
    HP Application Lifecycle Management - Microsoft Internet Explorer
    so I have stored in KeePass:
    HP Application Lifecycle Management*

    So, no matter if you log into an application or into a website, each application in windows (for websites it is the web browser) has an application title bar with a caption.

    And for KeePass this is very unsafe, because I could have the domain www.hacking.com and in the title bar the text "Welcome to your online banking".
    This is one reason why I switched to 1Password.

    But for HP Application Lifecycle Management the window title would work.
    This is the reason why I suggested this feature (only after you show a big warning that using the title bar text is very dangerous).

  • AGAlumB
    AGAlumB
    1Password Alumni

    @OLLI_S: Ohhh! There's a database. Thanks for explaining that! I know a lot of apps use some really inscrutable window naming schemes, so I understand why that would be necessary for that to work. I see what you mean, and I appreciate you tying that together. That makes sense.

    And for KeePass this is very unsafe, because I could have the domain www.hacking.com and in the title bar the text "Welcome to your online banking". This is one reason why I switched to 1Password.
    But for HP Application Lifecycle Management the window title would work. This is the reason why I suggested this feature (only after you show a big warning that using the title bar text is very dangerous).

    Absolutely! It's convenient, and less of a risk with local apps, but it's trivial for any site to change their title to match another. We can consider something like this for 1Password, but you're correct that given the security risks it would need to be weighed carefully and include appropriate warnings if we go that route. Perhaps we'll be able to come up with an even better solution, both from a user perspective and for security in general. :)

  • OLLI_S
    OLLI_S
    Community Member

    @brenty
    When I wrote "database" I ment the KeePass vault file.
    KeePass calls it "database", you call it "vault".

    For a better understanding here is a screenshot of the tab "Auto-Type" when I edit an entry:

    I really hope you find a better and more secure solution.

    Why not a button that performs {USERNAME}{TAB}{PASSWORD}{ENTER} ?
    So I would search for the entry "HP Application Lifecycle Management" in 1Passwrd and perform the login with one click.
    Here it would be very useful when I can adjust the Autotype Sequence (so {PASSWORD}{ENTER} would also be possible).

  • AGAlumB
    AGAlumB
    1Password Alumni

    When I wrote "database" I ment the KeePass vault file. KeePass calls it "database", you call it "vault".

    @OLLI_S: Doh! You're right, I totally misunderstood that bit. Thanks for setting me straight!

    Why not a button that performs {USERNAME}{TAB}{PASSWORD}{ENTER} ?

    That's essentially what the Auto-Type button in the top toolbar of the main 1Password app does, if you use it rather than setting up a login to work with the keyboard shortcut. It will ask you to choose the window, and then perform that same sequence.

    Here it would be very useful when I can adjust the Autotype Sequence (so {PASSWORD}{ENTER} would also be possible).

    There are less cases where this is needed, but I agree that sometimes this would be useful. While 1Password doesn't explicitly support this, you can effectively get this functionality by creating a login item without a username, and then focus the password field before invoking Auto-Type. It's not as slick as the browser extensions, but given that general purpose apps don't offer that functionality it's a good alternative. I hope this helps! :)

This discussion has been closed.