You can configure Testsigma to allow Single Sign On(SSO) for your users. This way, they do not have to provide separate login credentials for Testsigma if you already have SSO configured in their organisation. The authentication of the user is done by any SAML provider you configure on your side and the user attributes like Email address are sent back to Testsigma.


TABLE OF CONTENTS


Terminology

Here are a few entities that you need to be aware of before we move onto the details:

A user

The person requesting access to the service. In this case, Testsigma App User

A service provider(SP)

The application providing the service or protecting the resource. In this case, Testsigma App

An identity provider(IdP)

The service/ repository that manages the user information. It may be Okta, Onelogin, Azure AD, or an in-house IdP/IAM Implementation

Entity IDEntity ID is an identifier(an alphanumeric string) given by the Service Provider (SP) that uniquely identifies it. It's often part of a metadata file (an XML file with a certificate, entity ID, and endpoint URLs). You would get this from the IP (Okta, Onelogin e.t.c).



Prerequisites

- Azure Account with Active Directory enabled

- Admin Access to Azure Account


Since incorrect SAML Configuration can lock you out of the Testsigma Account, we would suggest you keep a failsafe browser open as mentioned below before testing the setup.


Failsafe Browser Session

Since incorrect configuration can lock you out of Testsigma Account and you would need to get the account unlocked by contacting Testsigma Support, it is better to keep a failsafe before setting up and testing the SAML-based Login.


The failsafe is nothing but a separate Browser Session with Testsigma App logged in (if your default browser is Chrome, use Mozilla Firefox/Edge/Safari for the failsafe session and vice versa)


If the setup is incorrect and the SAML login doesn't work from Azure, you can Disable the SAML Login from this failsafe Browser Session by navigating to Configuration > Security and clicking on Disable button.

Leap UI - Security - Screenshot

Once the failsafe is set up as shown above, you can move onto the next section to setup SAML.


Steps to setup SAML login

I. Adding Testsigma Enterprise Application

1. Login to Azure portal using the following URL - https://portal.azure.com

You will be taken to the Home page as shown below(Looks may vary according to the selected theme):

    


2. Type in Active Directory in the Search Box and select the Azure Active Directory service to go to the Overview page for Active Directory as shown below:



3. Click on Enterprise Applications under Manage on the left side navigation bar. This will take us to the list of Enterprise Applications in the Azure Active Directory(AD). Now, we need to create a new Application in this list for Testsigma.


4. Click on the New Application button above the list of Applications to add Testsigma.

 

5. From the Browse Azure AD Gallery page, click on Create your own Application button on the top.


6. In the Overlay that opens up on right, enter a name for your App - Testsigma, select the third option - Integrate any other Application(Non-gallery), and click on Create Button.

Now, you can get back to the list of Enterprise Application. Testsigma Application has been added to the list of Enterprise Applications now. If you don't see it yet, reload the page once.


II. Adding Users to the Enterprise Application

1. From the list of Enterprise Applications, click on the newly added Testsigma App. You will be taken to the Overview page for the App as shown below:



2. Click on Users and groups on the left navigation menu to add the Users in Azure AD to the recently added Enterprise Application's users.


3. Click on Add user/group button on top.


4. In the next page - Add Assignment, click on None selected link to open the Users overlay.

Select the required users from the Users overlay that opens up on the right and click on Select button to finalise.


5. Now, click on Assign button to add the assignment.


III. Testsigma Specific SAML Configuration on Azure

1. Click on Single sign-on on the left side navigation menu which takes you to the Single sign-on method selection page(if not selected already).


2. Select the SAML option. You will be taken to the Set up Single Sign-on with SAML screen as shown below:


3. Click on Edit button on Section 1 - Basic SAML Configuration, enter the following details, and Save:

Entity ID: https://app.testsigma.com/saml/<id>/metadata
Reply URL: https://app.testsigma.com/saml/<id>/callback
Sign on URL: (Leave it empty)
Relay State: https://app.testsigma.com/saml/<id>/callback
Logout URL: (Leave it empty)
You need to replace the <id> with the SAML token identifier for your account.
The 'id' is provided on-demand since this is an Enterprise feature. Please contact Testsigma Support to raise a request for generating the identifier.

It will look like shown below:


4. Click on Edit button on section 2 - User Attributes & Claims.

In the User Attributes and Claims page that loads up, click on value for Unique User Identifier(Name ID) under Required Claim.

In the Manage Claim page that loads up, select Source attribute as user.email as shown below:

Save and navigate back to previous SAML-based Sign-on page.


5. Click on Edit button for section 3 - SAML signing Certificate, enter the following details, and Save:

Signing option: SAML response and assertion
Signing Algorithm: SHA-256

That's all the configuration to be done on Azure App for SAML-based Sign-on.


9. Navigate back to the SAML Sign-on page and download the XML file by clicking on the Download link under Section 3 - Federation Metadata XML


10. Open the XML File and copy the value under the key EntityDescriptor > Signature > KeyInfo > X509Data > X509Certificate

You can just search for <X509Certificate> and copy the value between first occurrence of <X509Certificate> and </X509Certificate>


11.  Also, note down the following values from Section 4 - Set Up Testsigma App

Azure AD Identifier
Login URL

We will be using the X509Certificate value and above two value in Testsigma App in the next section.


IV. Azure Specific SAML Configuration on Testsigma

Make sure you have the failsafe Browser Session as mentioned in the beginning of this article.


1. Now, open Testsigma App and navigate to Configuration > Security


2. Click on the Proceed button on the SAML option. Clicking on Proceed button open the Testsigma SAML Setup screen as shown below:


3. Enter the following details:

Entity ID: Azure AD Identifier (obtained from Section 4 in Azure SAML Setup page)

SSO URL: Login URL (obtained from Section 4 in Azure SAML Setup page)

SAML certificate: X509Certificate value (obtained in previous section from downloaded XML file)


4. Click on Confirm button to finalise the changes. You will be taken back to the Security page as shown below:


V. Test the SAML Config

Please make sure the Failsafe Browser session(mentioned in beginning of article) is open so that you can disable the SAML option from that session if SAML-based login fails and you get locked out of Testsigma.


1. Switch back to the Azure page and click on the Test button in Section 5.


2. Then click on Sign in as current user on the next screen. This will test the SAML-based login with the currently logged in user.

If the setup is done correctly, it should automatically log you in to the Testsigma. If not, use the Failsafe Browser session to disable the SAML option from Configurations > Security



Happy Testing!

Welcome to the era of #SmartTestAutomation!