Menu

Single Sign-On (SSO) Integration

Overview

This feature allows qTest users to log in to qTest with their SSO credentials. As a site administrator, you can configure and activate your SSO integration using the instructions below.

Configuring qTest to your Identity Provider (IdP)

You will need to add your qTest instance as an application on your IdP.  To begin, you should locate the URLs to configure the application SAML in qTest's SSO integration page.  

Access qTest's SSO Integration Information

You will need the following URL's when configuring your IdP in the next steps.

  1. Login to qTest and hover over your username and select Administration.
  2. The Site Administration page loads. Select the Authentication Integration tab.
  3. The Single Sign-On (SSO) page will display and in the SSO section, you will find the URLs needed to configure your IdP.

SSO_URLs.png

Configure your IdP

Please note, these instructions are specific to Okta. In a separate browser window, open your Okta instance.

  1. Login to your Okta account to add qTest Manager as an application.
  2. Select the Admin button in the top, right-hand corner of the window.
  3. Hover on the Applications tab, and select Applications from the drop down.
  4. You will need to create a new application by selecting the add application buttonadd_application_button.png.
  5. In the new application General Settings, enter the Application label name ex: qTest.
  6. Select Next and the SAML Settings load, enter the following:
    • Single Sign On URL- found in the qTest Authentication Integration tab
    • Audience URL- found in the qTest Authentication Integration tab
    • Default RelayState- optional
    • Name ID format- optional
    • Application username- select Okta username
    • In order for qTest to retrieve user information from your IdP, map the following attributes:
      • user.email
      • user.firstname
      • user.lastname

Invite Users to qTest Application from the IdP 

Once your qTest application has been entered and saved in Okta, you will need to invite users to the SSO.

  1. Select the Admin button in the top, right-hand corner of the window.
  2. Hover on the Applications tab, and select Applications from the drop down.
  3. You will see your newly created qTest account.
  4. Select the name (blue hyperlink) of the qTest account you created in Okta.
  5. Once the chosen application loads, select the Assignments tab.
  6. Click the green Assign button and now you can enter the user information for each employee that you would like to use the SSO for qTest.

Configure your SSO Integration in qTest

  1. In qTest, hover over your username and select Administration.
  2. The Site Administration page loads. Select the Authentication Integration tab.
  3. Select SSO from the left Authentication Systems panel.
  4. It is optional to enter a name for your IdP.
  5. You must enter a URL to your IdP metadata.  Alternatively, you can upload a metadata XML file from your local machine.
  6. Select the checkbox to 'Create new account on qTest upon user's first login' to allow users to create their qTest accounts.  This will save time and effort because you will not need to invite or update many users.  This option will be explained below in the next section.
  7. Switch on Activation status in the top, right-hand corner of the screen.
  8. Select the Save button to save the configuration.

IMPORTANT:

  • You will need to switch off the integration with your LDAP systems to enable SSO integration.

Enable SSO login for a qTest user

To log in to qTest Manager with SSO, a user will need an SSO account and an associated qTest account.  There are three ways to enable SSO login for a qTest user - invite a new user, update an existing user, or allow SSO users to create associated qTest Manager accounts upon their first login (suggested.)

Invite a New User

This could be used when adding (one or few) new employees that would have a new qTest account and a new Okta account. 

  1. In qTest, select the Invite button.
  2. On the Invite User dialog, enter an email to create an associated qTest Manager account.
  3. Select the option Let the user log in with his SSO username.
  4. Enter the SSO username.

IMPORTANT: You cannot invite a new user if the input email or SSO username is currently being used by an existing qTest user.

Update an Existing qTest User 

This 'bulk add' option could be used when adding multiple qTest users to a new SSO application, however, it is still a manual process and could be time-consuming. 

  1. Change the Authentication System of the user to SSO.
  2. Click the SSO Username field of the user. The field will change to a text box.  Enter the user's corresponding SSO username.
  3. Click the Save button.
  4. The user will receive a notification email.

Allow SSO Users to Create Associated qTest Manager Accounts upon Their First Login

Suggested login option to easily merge the SSO account with qTest.

  1. In your IdP, grant users with the permission to access to qTest Manager.
  2. In qTest Manager, select the option Create new account on qTest upon user's first login.
  3. When users login to qTest Manager for the first time, they will need to confirm to create an associated qTest Manager account.

    IMPORTANT:

    • If qTest retrieves user email from the IdP and there is an existing qTest Manager account (authenticated by qTest) with the same email, the user is allowed to associate the SSO account with the qTest Manager account.
    • If the email is manually input or the qTest Manager account is authenticated by SSO, the user will not be allowed to do so.

Configure ADFS Active Directory Federation Services

Check Federation Service Properties

The Web SSO lifetime should not be greater than 480 minutes.
Federation Service Properties

Add a Relying Party Trust

  1. In the left pane, click Add Relying Party Trust. 



  2. On the Welcome page of Add Relying Party Trust Wizard, click the Start button.
  3. At the Select Data Source step, select the option Import data about the relying party published online or on a local network and enter this URL: https://[your qTest URL]/saml/metadata.
  4. At the Specify Display Name step, enter any name for the Relying Party (e.g., qTest SSO).
  5. Proceed to the last step to complete adding a Relying Party Trust.

Edit Newly added Relying Party Trust

  1. After it has been created successfully, right click and select Properties to edit.
  2. In the Identifiers tab of the Properties dialog, view the identier URL (https://[qTest URL]/saml/metadata). 

    qTest SSO Properties - Identifiers

  3. In the Monitoring tab of the Properties dialog, edit the federation metadata URL and ensure it is the same as the identifier URL (https://[qTest URL]/saml/metadata). 

    qTest SSO Properties

  4. In the Advanced tab, select SHA-256 secure algorithm 
  5. Click the Apply button and close the dialog box.

Edit Claim Rules of Newly Added Relying Party Trust

  1. Right click and select Edit Claim Rules.
  2. Add a claim rule as described below.
    • Claim Rule Name: NameID
    • Attribute Store: Active Directory
    • Map the LDAP attribute with qTest field as in the image shown below.

    Edit Claim Rules - NameID

  3. Add another claim rule.  This one is not required
    • Claim Rule Name: Attributes
    • Attribute Store: Active Directory
    • Map these qTest Manager fields: user.firstnameuser.lastname, and user.email with any suitable LDAP attributes.

    Edit Claim Rules - Attributes

Enter ldP Metadata Link into qTest Manager

Remember to enter the IdP Metadata link using the following format: https://[your ADFS URL]/FederationMetadata/2007-06/FederationMetadata.xml

Subscribe To Our Blog
Powered by Zendesk