Browser Autofill
Autofill credentials into Remote Browser Isolation sessions
Last updated
Was this helpful?
Autofill credentials into Remote Browser Isolation sessions
Last updated
Was this helpful?
KeeperPAM can automatically fill credentials into the target remote browser isolation session. Credentials are never exposed to the user - the Keeper Gateway performs the filling inside of the Chromium session, and the session is visually projected into the user's vault.
An example of an RBI record is below. This is an Amazon AWS login that will autofill a credential.
In order for the Keeper Gateway to autofill the credentials, the record must be added to a Shared Folder which is associated to the gateway.
In this example, the "craigdemouser" AWS identity is saved to a shared folder which is controlled by the Keeper Gateway:
The Shared Folder is shared to the Application holding the Keeper Gateway:
The Application is associated to the Keeper Gateway. This gives the Gateway the ability to access and decrypt any shared credentials.
To set up Autofill, edit the autofill settings by clicking on "Edit" in the PAM Settings section of the record.
The configuration of Remote Browser Isolation provides the ability to select which credential is filled.
When launching the session, the username and password for the AWS Console is autofilled within the isolated browser session. The credentials are not exposed to the user and the form fields cannot be inspected.
The autofill rules used by KCM are a JSON/YAML array of objects, where each object specifies at least the following property:
page
- The URL pattern of the page that the autofill rule applies to. The patterns accepted here are identical to the patterns accepted by the navigation/resource rules.
and one or more of the following properties:
username-field
- A CSS selector that matches the field that should receive the filled username. The Keeper Gateway will inject the value of the username
field from the Keeper record.
password-field
- A CSS selector that matches the field that should receive the filled password. The value filled will be the value of the password
parameter for the connection.
totp-code-field
- A CSS selector that matches the field that should receive the filled TOTP code. The value filled will be the value of the totp
parameter for the connection.
submit
- A CSS selector for an element that should be clicked once all applicable username/password fields have been populated. This should only be specified if necessary (ie: if the login page in question does not actually use a proper HTML <form>
). When omitted, KCM will attempt to submit the login form as if the user pressed "Enter".
cannot-submit
- A CSS selector to tell KCM not to automatically submit the form as long as any matching element is present
Basic Example: A single page web application with a Login and Password field:
Copy
Some login flows will require multiple rules. For example, the Microsoft Azure Portal login flow would be an example of this.
Here's a YAML example of the autofill rules that would be necessary for Microsoft Azure:
Copy
Here's the equivalent, formatted as JSON:
Copy
A common example where you would not want Keeper automatically submitting is when there's a captcha on the page. An example of this is below:
For unusually complex pages where CSS is not sufficient, XPath expressions may be used instead. Any such XPath expression must be constructed with a leading /
.
Remote Browser Isolation will fill credentials based on the specific field elements defined in the JSON or YAML code. Form field selectors can be found by inspecting the content of the page and locating the specific field element.
Inspect the Page: Open the developer tools by right-clicking on the webpage and selecting "Inspect."
Select the Field: Use the element selector tool to click on the form field you want to identify.
Read the Attributes: Look at the highlighted HTML code to find attributes like autocomplete
, type
, name
, id
, or other identifiers.
Example 1: Using autocomplete
HTML Code: <input type="password" autocomplete="current-password" ...>
Explanation: The password field can be identified by the autocomplete
attribute set to current-password
.
Example 2: Using type
HTML Code: <input type="password" ...>
Explanation: The password field can be identified by the type
attribute set to password
.
Example 3: Using name
HTML Code: <input type="password" name="some_name_xyz" ...>
Explanation: The password field can be identified by the name
attribute set to some_name_xyz
.
Example 4: Using id
HTML Code: <input type="password" id="some_id_1234" ...>
Explanation: The password field can be identified by the id
attribute set to some_id_1234
.
Testing Field Identification
From your Chrome browser, open the developer tools and visit the Console tab.
To test the form field idenfication, use the document.querySelector() javascript command.
For example, type the below and press <enter>:
Copy
If the field is found, the DOM element will be displayed. Otherwise, an error will be displayed.