You can configure Testsigma to allow Single Sign On(SSO) for your users. This way, they do not have to provide separate login credentials for Testsigma if you already have SSO configured in their organisation. The authentication of the user is done by any SAML provider you configure on your side and the user attributes like Email address are sent back to Testsigma.
Here are a few entities that you need to be aware of before we move onto the details:
The person requesting access to the service. In this case, Testsigma App User
|A service provider(SP)|
The application providing the service or protecting the resource. In this case, Testsigma App
|An identity provider(IdP)|
The service/ repository that manages the user information. It may be Okta, Onelogin, Azure AD, or an in-house IdP/IAM Implementation
|Entity ID||Entity ID is an identifier(an alphanumeric string) given by the Service Provider (SP) that uniquely identifies it. It's often part of a metadata file (an XML file with a certificate, entity ID, and endpoint URLs). You would get this from the IP (Okta, Onelogin e.t.c).|
Adding Testsigma App to OKTA
We would suggest you to check with your IT Team before trying the below steps since they might have exclusive admin access to the IdP Configuration. The below steps are subject to the Classic UI in OKTA. If you are on the modern UI, please change to the Classic UI first.
1. First of all, login to the Admin Console in OKTA.
2. In the Admin Console, go to Applications and click Add Application button.
3. Click on Create new App button on top right corner.
4. Select Platform as 'Web'. In the Sign On Method, select 'SAML 2.0' radio button and click on Create.
5. Fill in the details in General Settings Tab and press Next.
6. In the SAML Settings, enter the following details:
Single Sign-on URL: https://app.testsigma.com/saml/<id>/callback
Audience URI: https://app.testsigma.com/saml/<id>/metadata
Default Relay State: https://app.testsigma.com/saml/<id>/login
Name ID Format: EmailAddress
Application Username: Okta Username
In this stage, you can proceed with a sample value such as '1' for the <id>. In the next section - Enabling SSO in Testsigma - we will tell you where you can find the correct <id> value. You can replace the value 1 with the new value in your OKTA SAML Settings then.
7. In next page, select 'Im an OKTA User and adding an Internal App' and also, 'This is an internal app that we have created'.
8. Click on Finish. Settings will be saved and you will be taken to the Sign On Methods.
9. Click on 'View Setup Instructions' to view the required details to be entered in Testsigma SSO Configuration page. You will get the 'Entity ID', 'SSO URL' and 'SAML Certificate' that is to be entered in Testsigma App from this page as shown below:
10. Note down this information to enter it on the Testsigma SAML SSO Configuration page. Now, let's move onto the configuration inside Testsigma App in below section.
Enabling SSO in Testsigma
Navigation: Configuration > Security
The security page looks as shown below if SSO has not been enabled yet:
1. Click on the Setup button to take us to the Identity Provider(IdP) selection page. You have two options here - Google and SAML. We will be explaining the SAML method for the scope of this article.
2. Select SAML radio button to select the SAML login option. You would need to enter the Entity ID, SSO URL and SAML Certificate you got from the last step in previous section.
3. After entering all the details, click on the Confirm button. You will see the below page after clicking on the Confirm button.
4. As shown in above screenshot, get the ID for your account and update it in the SAML Settings in your OKTA App for Testsigma Configuration as shown below:
Please open a new Chrome Incognito window or a different browser and try signing into Testsigma using OKTA before you log out of the current session. Else, you will be locked out due to incorrect configuration. If you are locked out due to misconfiguration, contact Testsigma Support.
SAML login is enabled for your Testsigma account now. From this stage, every user in your account would need to log in using the SSO Provider once they log out from the existing session.