You can configure Testsigma to allow Single Sign On(SSO) for your users. This way, they do not have to provide separate login credentials for Testsigma if you already have SSO configured in their organisation. The authentication of the user is done by any SAML provider you configure on your side and the user attributes like Email address are sent back to Testsigma.

 

Terminology

Here are a few entities that you need to be aware of before we move onto the details:

A user

The person requesting access to the service. In this case, Testsigma App User

A service provider

The application providing the service or protecting the resource. In this case, Testsigma App

An identity provider

The service/ repository that manages the user information. It may be Okta, Onelogin, Azure AD, or an in-house IdP/IAM Implementation

Entity IDEntity ID is an identifier(an alphanumeric string) given by the Service Provider (SP) that uniquely identifies it. It's often part of a metadata file (an XML file with a certificate, entity ID, and endpoint URLs). You would get this from the IP (Okta, Onelogin e.t.c).



Adding Testsigma App to OKTA

Your IT Team would be able to better help you with this since they only might have the admin access to your Identity Provider.


The below steps are subject to the Classic UI in OKTA. If you are on the modern UI, please change to the Classic UI first.


1. First of all, login to the Admin Console in OKTA.


2. In the Admin Console, go to Applications and click Add Application.

3. Click on Create new App.


4. Select Platform as Web. In the Sign On Method, select SAML option and click on Create.

5. Fill in the details in General Settings Tab and press Next.


6. In the SAML Settings, enter the following details:

Single Sign-on URL: https://app.testsigma.com/saml/<id>/callback

Audience URI: https://app.testsigma.com/saml/<id>/metadata

Default Relay State: https://app.testsigma.com/saml/<id>/login

Name ID Format: EmailAddress

Application Username: Okta Username


7. In next page, select 'Im an OKTA User and adding an Internal App' and also, 'This is an internal app that we have created'.


8. Click on Finish. Settings will be saved and you will be taken to the Sign-On tab.


9. Click on 'View Setup Instructions' to open the . You will get the 'Entity ID', 'SSO URL' and 'SAML Certificate' to be entered in Testsigma App from this page.


Enabling SSO in Testsigma

Navigation: Configuration > Security


The security page looks as shown below:


Clicking on the Setup button takes us to the Identity Provider(IdP) selection page. You have two options here:

I. Google SSO

II. SAML

I. Google SSO

Using Google SSO is very simple. If you have G-Suite enabled for your Testsigma Account email, you can just select the 'Google' option and click on the Confirm button. This will enable the Google SSO for Testsigma and the next time you are logging in, you would need to use the Google Account to log into Testsigma.


Note: If you are currently not logged into your Google Account, this option would be disabled. Please click on the link to log in to your G-Suite account first.

 

II. SAML

You can use this option If your organisation uses Identity Providers such as Okta, Onelogin, Azure AD e.t.c or an in-house implementation of Single Sign-On Provider(IAM).


Click on the SAML radio button to select the SAML login option. You would need to enter the following details in Testsigma to use the SAML option:


Entity ID: Entity ID is an identifier(an alphanumeric string) given by the Service Provider (SP) that uniquely identifies it. It's often part of a metadata file (an XML file with a certificate, entity ID, and endpoint URLs). You would get this from the IP (Okta, Onelogin e.t.c).


SSO URL: The user gets redirected to this URL when they select the SAML SSO Login in Testsigma. This will be provided by the Testsigma team on demand.


Please make sure to update the SSO URL provided by Testsigma team before you log out of the current session. Else, you will be locked out due to incorrect configuration.


SAML Certificate: SHA-256 certificate provided by the Identity provider that Testsigma uses to validate the authenticity of the Identity Provider. It's often part of a metadata file (an XML file with a certificate, entity ID, and endpoint URLs). You would get this from the IP (Okta, Onelogin e.t.c).



Obtaining the Configuration details from IdP(Onelogin, Azure AD e.t.c)

OneLogin as IdP

You can add Testsigma app in Onelogin using the steps below:

1. Log in to your Onelogin account and search for "Testsigma" under Add Apps. Click Save after selecting the Testsigma app.

2. Enter your Testsigma site name in the Testsigma subdomain field under Configuration tab and click Save.

3. Go to the SSO tab and get the SAML 2.0 Endpoint (Login URL) and X.509 Certificate (SAML certificate)

These are required and need to be pasted in your Testsigma User Interface while enabling SAML.


Azure AD as IdP

You can add Testsigma app in Microsoft's Azure Active Directory using the steps below:

1. Sign into your Microsoft Azure site(through portal.azure.com).

2. Go to Azure Active Directory> Enterprise applications> New application> Non-gallery application and add an application by naming it as "Testsigma".

3. Now, go to the newly created Testsigma application and select Single sign-on found on the left pane and select SAML.


Click edit against the Basic SAML Configuration section and enter

https://acme.chargebee.com - for Identifier(Entity ID) field

https://app.chargebee.com/saml/acme/acs - for Reply URL field. Replace acme with your Testsigma site name.

Scroll down to the Setup Testsigma section. Copy the Login URL and paste it in the field provided in Testsigma's SAML Configuration page.


In the SAML Signing Certificate section, Use the URL given against App Federation Metadata URL and copy the content present between the start and end tags of «X509Certificate». Paste it in Testsigma's SAML Certificate field.


Configure SAML in Chargebee

1. Login to Chargebee and navigate to Settings > Security > Single Sign-on > Setup.

2. Select SAML and click Confirm.

3. Paste the Login URL and the X.509 Certificate retrieved from the IdP.