Single Sign-On (SSO) Integration with ADFS Active Directory Federation Services


This article will walk you through setting up an SSO integration with ADFS.

Important Announcement for new SSO Integrations

qTest Manager SSO Service Provider (SP) uses an x509 certificate to sign authentication requests and decrypt SAML assertions. As part of qTest Manager's security process, we update our SP certificate every 3 years in August. The current certificate expires September 9, 2019.

If you are using:

  • any version of qTest OnPremise that is 9.7.1 or earlier
  • and setting up an SSO integration for the very first time

You must update the SSL certificate in each Manager server before configuring your IdP.

Configure your SSO Integration in qTest

  1. In qTest, hover over your username and select Administration.
  2. The Site Administration page loads. Select the Authentication tab.
  3. Select SSO from the left Authentication Systems panel.
  4. It is optional to enter a name for your IdP.
  5. You must enter a URL to your IdP metadata. Alternatively, you can upload a metadata XML file from your local machine. Remember to enter the IdP Metadata link using the following format: https://[your ADFS URL]/FederationMetadata/2007-06/FederationMetadata.xml
  6. Select the checkbox to 'Create new account on qTest upon user's first login' to allow users to create their qTest accounts. This will save time and effort because you will not need to invite or update many users.  This option will be explained below in the next section.
  7. Switch on Activation status in the top, right-hand corner of the screen.
  8. Select the Save button to save the configuration. If you are using Manager 9.8.1+, review the optional configuration options here



  • You will need to switch off the integration with your LDAP systems to enable SSO integration.

Configure ADFS Active Directory Federation Services

Check Federation Service Properties

The Web SSO lifetime should not be greater than 480 minutes.

Add a Relying Party Trust

  1. In the left pane, click Add Relying Party Trust. 

  2. On the Welcome page of Add Relying Party Trust Wizard, click the Start button.
  3. At the Select Data Source step, select the option Import data about the relying party published online or on a local network and enter this URL: https://[your qTest URL]/saml/metadata.
  4. At the Specify Display Name step, enter any name for the Relying Party (e.g., qTest SSO).
  5. Proceed to the last step to complete adding a Relying Party Trust.

Edit Newly added Relying Party Trust

  1. After it has been created successfully, right click and select Properties to edit.
  2. In the Identifiers tab of the Properties dialog, view the identier URL (https://[qTest URL]/saml/metadata). 


  3. In the Monitoring tab of the Properties dialog, edit the federation metadata URL and ensure it is the same as the identifier URL (https://[qTest URL]/saml/metadata). 


  4. In the Advanced tab, select SHA-256 secure algorithm 
  5. Click the Apply button and close the dialog box.

Edit Claim Rules of Newly Added Relying Party Trust

  1. Right click and select Edit Claim Rules.
  2. Add a claim rule as described below.
    • Claim Rule Name: NameID
    • Attribute Store: Active Directory
    • Map the LDAP attribute with qTest field as in the image shown below.


  3. Add another claim rule.  This one is not required.
    • Claim Rule Name: Attributes
    • Attribute Store: Active Directory
    • Map these default qTest Manager fields: user.firstnameuser.lastname, and with any suitable LDAP attributes.
      • For Manager 9.8.1+ Review the Optional Configuration Option listed below to configure custom attribute types. 

    Edit Claim Rules - Attributes

Optional Configuration Option

Define Custom Mapping Attributes for SSO Integration

Manager 9.8.1+: Site Admins have the ability to define custom mapping attributes for your SSO Integration. The attribute values are prepopulated by default, with the values below:

  • user.firstname
  • user.lastname 

If you choose to change a default attribute value, to a custom mapping, qTest will use the new values to retrieve data from SAML responses.



Powered by Zendesk