Inconsistency logging in to Workday in Safepay because of need to launch external app (Okta)

DIVERSE · 2025-02-16T11:46:27+00:00

There was an error rendering this rich post.

I usually sign in to myworkday.com in an ordinary web browser. Login uses MFA, specifically username, password and one further authentication. The latter can be a one-time code, but in my case my laptop has been set up with an Okta "app" that is launched by the browser, and in turn authenticates the login merely by the user clicking to confirm that they're indeed trying to log in.

Workday is used for tasks such as logging employee payment claims, reviewing payslips, and changing bank account information. So it occurred to me that maybe I should try doing this in Safepay.

On the first couple of attempts I could not log in, and Safepay displayed a message saying that it was because Safepay was unable to launch external apps …or words to that effect.

When I subsequently tried to replicate the steps in order to confirm the precise phrasing (so that I could post it here), to my surprise the message wasn't displayed, and when I <Alt><Tab>ed out of Safepay I discovered that Okta had been launched!

So what is happening here?

Why did my login attempts initially fail, with an error message about Safepay being unable to launch external apps?

Moreover, why did Safepay subsequently allow Okta to launch, allow Okta to authenticate my login attempt, and successfully log me in to Workday?

What is actually supposed to happen by design?

Find more posts tagged with

safepay

Comments

Gjoksi

@camarie @Alexandru_BD Any thoughts on this issue? Thanks.

camarie

Launching external applications requires an external protocol, and the registered protocol (usually implemented in a dll) launches such applications. I suppose this is the case, but I have to test it to be sure.

Safepay attempts to control what external protocols are launched, but some of these are circumventing the implementation and are implemented directly in the Chrome layer (without entering in too much details, until the Chromium 123, if I remember correctly, it was completely self-contained in its independent, non-100% Chromium mode, so to speak). When I added support for password manager extensions, and combined with the fact the Chrome extensions support requires "Chrome" mode (as opposed to the contained mode - codename "Alloy"), I suspect this is not anymore propagated (or, at least, not in this case) to Safepay implementation.

(Not to be ignored is also the fact that virtually nobody cares about being in a separate desktop - as Safepay is - and happily launches whatever executables into the default desktop, without checking the original desktop, and I had to do really hard implementations - self-patching process creation, for example - in order to capture the process creation and redirect them to the secure desktop).

I suppose your use case simply hit an route on which I have to 1. decipher how this is behaving and 2. add extra code to capture, if possible, this behavior and reroute the Okta executable into the secure desktop, if that would be possible (or at least detect such a case and notify or switch the user to the desktop where Okta executable is launched, so that the user can perform the input and switch back into Safepay). If the first part is successful, I might be able to reroute it into the secure desktop, but that might conflict with another feature of Safepay - detection of foreign executables that are launching into the secure desktop, where they are detected, analysed for digital signature, reputation etc. and if they are detected as untrusted or malware, the user is notified and process might be killed if the user wants to. It is quite a lot of work, I won't hide you that, but I will check it and find a solution.

Meanwhile, is it ok for you to open a support ticket, describing your use case and the problem itself? That would be a real help, not to mention it will make it official and therefore I can start working on it.

DIVERSE

Thanks, @camarie.

What you say helps to explain the situation.

From your description, I gather that the ideal design for Safepay would be

a small number of third-party executables (e.g., password manager extensions) should be launched from Safepay as needed (when triggered by certain websites), but only into the secure desktop; whereas
most third-party executables (e.g., media players?, PDF viewers?) would be prevented from launching at all (in any desktop).

For completeness, I think there's one thing that Safepay is designed to launch into the default desktop, which is the File Explorer. Sample workflow: user opens Safepay; user browses a website; user prints website to PDF; Safepay automatically saves PDF file to a "secure" folder; from Safepay the user can launch File Explorer into the default desktop to view the "secure" folder. Similarly when downloading files from within Safepay.

I accept your description that carefully implementing such a design is not a simple task, and I thank you for looking into it.

Yes, I will open up a Support Ticket about this, as you suggest. I will have to check first where to do that….

DIVERSE

OK, I thought it would be easy to find where to submit a ticket, but maybe not.

So far it seems:

I can do it by "chat", which seems a bit weird and — mostly — quite an unexpected way to submit a "formal" request. Here is what the AI bot responded with in a test: "By starting this chat, you've already contacted the Support Team. Once this session ends, a support ticket will automatically be created, and you'll receive an email confirmation with the transcript and ticket ID. If you need to follow up on a previous ticket, you can reply to the last email you received from our support team."
I can email Bitdefender, which also seems like not the most common way of submitting a request in my previous experience with online customer support facilities.

However, in both instances I have to navigate from https://www.bitdefender.com.au/consumer/support/help-au/ through various hurdles until the links to chat or email are provided.

Isn't there a webform?

camarie

I think the support ticket opening via form can be done by

navigate to https://www.bitdefender.com.au/consumer/support/help-au/
scroll down to Get help with and click on Protection for Windows
this should navigate to https://www.bitdefender.com.au/consumer/support/get-help-ts-au/ and here scroll down to Need help from an expert? and click on Contact Bitdefender Support
this will open a new form with the first step 1. What do you need help with? - here click on How to's & Troubleshooting Bitdefender Products
this will lead to the next step 2. Type of issue: and here click on Troubleshooting; now click on the version of the product version you have (ex.: Bitdefender Total Security) and then click on Contact support
finally, you will be presented with the options of Chat, Call us and Send us an email! - click on the latter and fill in the Email Address, Message (describing the issue) and the support log, which I am very strongly encourage to do, as well as the screenshots if you have recorded.

Yes, I understand what these steps might be seen as somewhat convoluted, and yes, there is a number of steps to do. And if users are helping us with the log files, screenshots and feedback, this will greatly help us to understand and fix issues such this one.

DIVERSE

Thanks, @camarie .

Not sure how, but the link I navigated to originally ( https://www.bitdefender.com.au/consumer/support/help-au/ ) does not show what you describe at the second bullet point. Here is the entirety of what I can see

(As I progressed through the instructions, I discovered that the above corresponds to your fourth bullet point!)

——————

So I went back to the main site (https://www.bitdefender.com , which redirected me to https://www.bitdefender.com/en-au/ [probably because of my previous preference selection]) and clicked on "Support", and then choose "Support for Home Products" (rather than "Business").

That took me to https://www.bitdefender.com.au/consumer/support/ , which did have the content you described.

In hindsight I think what happened was that I inspected the first few options on the page, couldn't see a perfect match for what I was looking for, and so I chose "… Troubleshooting", which seemed like the closest.

"Discover More Resources" and "Get help with [… answers to FAQ's]" I probably thought would just open up a knowledgebase / FAQ resources.

——————

On my first attempt, I followed a different route that did not include your fifth bullet point, but still reached the options in your sixth bullet point.

I hadn't clicked on the "Send us an email!" option, because I assumed it would just display a Bitdefender email address for me to write to (or perhaps try to open up my local email client application); I did not associate that wording with a webform.

Unfortunately it's quite troublesome to send screenshots within the secure desktop, because AFAIK the only way to do this is to run Bitdefender within a virtual machine.

Anyway, I'll submit something, and if more information is needed, then it can be mentioned in a response on the the Ticket.

camarie

Perfect, thank you very much. About the secure desktop screenshots, phone would be the easiest choice. But if it's too much trouble we can do without it for now.

DIVERSE

For the record, I managed to kind-of reproduce the issue.

The full error message from Safepay is:

External protocol error

Bitdefender Safepay™ will not launch the external application.

Reason:  URL scheme not supported.

Just in case anyone else encounters the same error message and searches for those phrases.

camarie

That's the one ! This confirms my initial supposition that is an externally registered protocol.

Most likely the application registers a protocol something like okta:// (I'm starting to invent names here), implemented in (let's call it) oktaauth.dll which handles these URLs. Authentication navigates to a some okta://doAuth?userID=<id>&<other_things> which is intercepted first by the Chrome, passed to Safepay, which maintains a (small) list of external protocol handlers.

Now it is only a matter of reproducing the issue and checking what protocol and examining the behavior, then integrating the support for application launch and hopefully having it all working correctly together.

I am filing myself the issue right now and then talk to the support guys to speed up the resolution process. Many thanks for reproducing and great feedback to diagnose this.