Skip to content

Authentication

Authentication is the single most common source of load testing failures. A test case that replays successfully when authenticated manually will fail with 401 or 403 errors the moment authentication isn't properly configured. This section explains the authentication methods Load Tester supports and how to configure each one.

Why Authentication Matters for Load Testing

When you record a browser session, you authenticate once as yourself. When you run a load test, you're simulating thousands of users authenticating simultaneously, and Load Tester must replay that authentication flow for every single virtual user.

This creates three challenges:

  1. Dynamic credentials: Modern applications use tokens, session IDs, and challenge-response patterns that change with every authentication
  2. Stateful authentication: Servers track authentication state across multiple requests, requiring precise correlation
  3. Security layers: Applications use multiple authentication mechanisms (OAuth + MFA, certificates + form login) simultaneously

The good news: Load Tester's ASM automatically detects and configures authentication for most applications. The bad news: when automatic detection fails, you need to understand which authentication method your application uses and how to configure it manually.

Authentication Methods Load Tester Supports

Load Tester handles four categories of authentication, covering virtually all web applications:

1. Basic & Form-Based Authentication

What it is: Traditional username/password authentication where credentials are submitted via HTTP Basic Auth, HTML forms, or Windows/NTLM authentication.

When to use this guide:

  • Application shows username/password login form
  • Browser prompts for credentials before accessing the site
  • Windows integrated authentication (NTLM, Kerberos)
  • HTTP digest authentication

How it works: Load Tester captures credentials during recording and replays them for each virtual user, handling NTLM handshakes and form submissions automatically.

→ Read: Basic/Form Authentication

2. OAuth & Bearer Tokens

What it is: Modern token-based authentication using OAuth 2.0 protocol, where the application exchanges credentials for a Bearer token used in subsequent requests.

When to use this guide:

  • Application uses OAuth 2.0 authentication
  • You see Authorization: Bearer <token> headers in requests
  • Application redirects to external identity provider during login
  • Replay fails with 401 errors, showing missing Authorization headers

How it works: Load Tester includes 14 specialized OAuth detection rules that automatically extract access tokens, refresh tokens, and JWT tokens from JSON/XML responses and inject them into Authorization headers.

v7.0 enhancement: Automatic OAuth detection handles 90% of OAuth implementations without manual configuration.

→ Read: OAuth & Bearer Tokens

3. Client Certificates

What it is: Certificate-based authentication where the application requires a digital certificate (typically .p12 or .pfx file) to establish a secure connection.

When to use this guide:

  • Application requires client-side certificate installation
  • Browser prompts to select a certificate when accessing the site
  • Authentication uses mutual TLS (mTLS)
  • Application is internal/enterprise with PKI infrastructure

How it works: Load Tester imports the client certificate and automatically presents it during SSL/TLS handshake for every virtual user.

→ Read: Client Certificates

4. SSO & Modern Auth Patterns

What it is: Single Sign-On (SSO), SAML, OpenID Connect (OIDC), and multi-factor authentication (MFA) patterns used by enterprise applications.

When to use this guide:

  • Application uses SSO provider (Okta, Auth0, Azure AD, Google, Microsoft)
  • Authentication involves SAML assertions (XML documents)
  • OpenID Connect (OIDC) authentication flow
  • Multi-factor authentication (MFA) with authenticator apps or SMS codes

How it works: All modern authentication patterns ultimately produce OAuth 2.0 Bearer tokens. Load Tester's OAuth detection rules handle the final token automatically. You focus on recording the authentication flow correctly.

Key insight: SAML, OIDC, and SSO all reduce to OAuth 2.0 at their core.

→ Read: SSO & Modern Auth Patterns

How to Identify Your Application's Authentication Method

Not sure which method your application uses? Follow this decision tree:

  1. Does the browser prompt for a certificate when accessing the site?
  2. Yes → Your application uses Client Certificates

  3. No → Continue to #2

  4. Do you see Authorization: Bearer <token> in request headers?

  5. Yes → Your application uses OAuth & Bearer Tokens

  6. No → Continue to #3

  7. Does login redirect to an external provider (Okta, Google, Microsoft, etc.)?

  8. Yes → Your application uses SSO & Modern Auth

  9. No → Continue to #4

  10. Do you authenticate with username/password on the application's own login page?

  11. Yes → Your application uses Basic/Form Authentication

Still not sure? The AI Assistant can analyze your test case and identify the authentication method. See below.

AI Assistant for Authentication

The AI Assistant can help identify authentication methods, troubleshoot 401/403 errors, and configure authentication when ASM doesn't detect it automatically.

Ask the AI to Identify Authentication Method

If you're not sure which authentication method your application uses:

I recorded a test case for [application name] but replay fails with 401
errors. Can you analyze the test case and tell me which authentication
method this application uses?

The AI can:

  • Analyze request/response patterns to identify auth method
  • Check for OAuth tokens, SAML assertions, or certificates
  • Recommend which authentication guide to follow
  • Explain WHY a specific auth method was detected

Ask the AI to Troubleshoot Authentication Failures

If replay fails with 401 or 403 errors after configuring authentication:

My replay is failing with 401 errors on transaction #5. I configured
OAuth authentication but it's still not working. Can you help?

The AI can:

  • Identify missing or misconfigured authentication fields
  • Check if OAuth detection rules need to be enabled
  • Analyze correlation issues (expired tokens, missing credentials)
  • Suggest specific ASM rules or manual configuration steps

Ask the AI to Configure Authentication Manually

If ASM doesn't detect your authentication automatically:

ASM didn't detect the OAuth token in my test case. The token is in a
JSON response field called 'sessionToken'. Can you help me configure
extraction and correlation manually?

The AI can:

  • Create custom extractors for non-standard token fields
  • Configure field assignments to inject tokens into headers
  • Enable specific detection rules for your authentication pattern
  • Re-run ASM after configuration changes

Next Steps

Choose the authentication guide that matches your application:

  1. Basic/Form Authentication - Username/password login, Windows auth, HTTP Basic/Digest
  2. OAuth & Bearer Tokens - Modern token-based authentication, API authentication
  3. Client Certificates - Certificate-based authentication, mutual TLS
  4. SSO & Modern Auth - SAML, OIDC, Okta, Azure AD, MFA

If you're not sure, start with OAuth & Bearer Tokens since that's the most common method for modern web applications (90%+ of applications built after 2015).

After configuring authentication, verify your test case replays successfully by following Running a Replay. All transactions should show green (success) in the Replay View before proceeding to load testing.