What is best way to handle ADFS login authentication in ZAP during scanning/Spidering

[CI/CD ZAP]

I am doing automation using ZAP baseline script and i have application using ADFS login authentication. Could you please let me know the best way handle this as i have been trying with form based authentication giving ADFS url as login url but unable to perform so.

[Simon Bennetts]

Your options are, best to 'worst':

1. Run your app in a safe environment where you can turn ADFS off, so either no authentication or one thats much easier to script
   
2. Generate a valid authentication token outside of ZAP and then configure ZAP to inject it into the requests
3. Configure ZAP to handle ADFS auth

The last option should be possible but will not be easy. You will need to understand exactly how ADFS authentication and session handling works and configure ZAP to handle it. I've never used it so cannot give you any advice on guidance.

I've covered authentication in various videos linked off https://www.zaproxy.org/videos/

If anyone else has configured ZAP to handle ADFS (or knows how it works in detail) then please say :)

Cheers,

Simon

[CI/CD ZAP]

Thank You Simon for the prompt reply. I have been going through these videos and find very useful.

Regarding option #3 configure ZAP to handle ADFS authentication , I have been trying to setup in authentication tab but no success and also i have tried to record the authentication process using Authentication script and use it in context but still did not get success.   Do you suggest particular type of script will help here?