Performance test scripting for Mobile app - HTTP 560 error

0
We are having some trouble with creating performance test scripts (HTTP calls, using LoadRunner) for a native mobile application that runs on a tablet.   The situation: The app makes a call to https://[redacted].hana.ondemand.com/xas/, using a specific operationId (9kdzkhkm6Femw3p78D6erw), that returns a json containing which URL to use to log in. This returns a json with a URL for login in, which has the format (where {state} and {nonce} are dynamic values): https://mendix-apps-[redacted].authentication.eu10.hana.ondemand.com/oauth/authorize?response_type=code&response_mode=query&client_id=[redacted]&redirect_uri=[applicationname]%3A//[redacted].cfapps.eu10.hana.ondemand.com/xsauaacallback/&display=page&scope=&state={state}2&nonce={nonce} This URL is opened in a browser, and redirects to microsoft login. When this login it completed within the the login.microsoftonline.com domain, we end up with a SAMLResponse. This SAML is then used to login, by posting it to: https://mendix-apps-qas-[redacted].authentication.eu10.hana.ondemand.com/saml/SSO/alias/mendix-apps-qas-[redacted].aws-live-eu10 This POST request, does two redirects, the URL for the redirects contain a URL argument named 'code' which is the token that is needed for authentication. The second redirect is to a URL starting with [applicationname]://, which will trigger the app to open. This cannot be used in our performance test tooling. [applicationname]://[redacted].cfapps.eu10.hana.ondemand.com/xsauaacallback/&code={code} We tried to replace [applicationname]:// with https://, but that request returns a HTTP code 560, which is a specific Mendix response code. The xsauaacallback it related to the Mendix SAP connector. We need a final request to the xsauaacallback to get the XASSESSIONID cookie and a x-csrf-token header , which are both needed for authentication.   Our questions: - What is the cause of the HTTP 560 error? - What does the app do with that [applicationname]:// redirect? Our guess is that it does an additional https request, but it does not show up in our recordings.
asked
1 answers
0

Hi Jasper, for the 560 response code, you should be able to find an exception in the Mendix Runtime log on your servers. I suspect it simply talks about that URL being invalid for a Mendix application.

 

For the performance testing, I wonder if having the proper SSO authentication is important enough to get working with the performance test. It depends on where you see the highest risk. Classically, the main risks in a custom application like this lie in the interaction between Client, Runtime and Database, e.g. queries, data volumes, concurrency, perhaps integrations. If possible I would consider adding a second login method to the performance testing environment with username/password or similar authentication and of course only have them in the test environment. If you're able to record the actions the Native Mobile Client sends to the Runtime after authentication, then you're usually all set for testing all that happens after authentication.

 

If you however have done a lot of customisations for the authentication or see some risk there, I would consider designing a specific performance test for that part by itself, rather than combining it with the performance test for the actual application performance. I don't know what that custom URL does, but probably someone here knows more. Can you trigger the same authentication sequence from a desktop browser where you might have easier insight into the details?

 

Hope it helps!

answered