Enable Single Sign-On for Tricentis User Administration

Tricentis User Administration allows you to centrally manage users across multiple projects, which saves time and effort as your testing projects scale.

As a first step, you need to choose how to create users in Tricentis User Administration.

This topic explains how to create users by enabling Single Sign-On (SSO). With this option, you use your third-party provider to manage user access. Users can then sign in with their existing credentials.

What's in this topic?

This topic is for administrators. It has all the information you need to complete the following tasks: 

  • Understand supported providers and flows.

  • Prepare for SSO.

  • Set up SSO in Tricentis User Administration.

Understand supported providers and flows

Keep the following in mind:

  • Tosca supports all identity providers that use Security Assertion Markup Language 2.0 (SAML 2.0).

  • Tosca only supports Service Provider Initiated SSO flows. This means users have to sign in via the SSO button.

  • Tosca only displays users in Tricentis User Administration after they sign in for the first time. It doesn't import and display all users at once.

Prepare for SSO

Before you can set up SSO in Tricentis User Administration, you need to prepare a few things.

In your own environment, you need to have these things in place:

  • You have defined the email, name, and sub claim within your SAML 2.0 identity provider.

  • You have configured the following information within your identity provider:

    Identifier (Entity ID): http(s)://<Tosca Server address>/saml

    Reply URL (Assertion Consumer Service (ACS) URL): http(s)://<Tosca Server>/signin-saml

How to do this varies between providers. For an example of how to prepare Okta, check out this Tricentis Knowledge Base article (opens in new tab).

By default, Tricentis User Administration only maps user names and emails. You can't bring in entire user groups from your own identity provider. This means you need to create user groups in Tricentis User Administration, wait for users to sign in, and then add them to a user group.

Tricentis User Administration offers mapping functionality, which allows you to skip the last step: manually adding users to groups. In this case, you create groups in Tricentis User Administration that have the same names as groups in your identity provider. When a user signs in for the first time, Tosca checks their group membership and adds them to the group with the same name in Tricentis User Administration.

User group mapping is an early access feature and still under development. We can't guarantee full functionality in this or in future versions.

To prepare for user group mapping, follow these steps:

  1. Remove the feature flag:

    • Open the Authentication Service appsettings.json file. After a default installation of Tosca Server, you can find it at C:\Program Files (x86)\TRICENTIS\Tosca Server\AuthenticationService.

    • In the AppFeaturesSettings section, set the value of the setting IsSsoUserGroupMappingEnabled to true.

    • Save and close the file.

  2. Perform some preparatory tasks in your own identity provider, such as cleaning up groups or creating additional ones. Keep these things in mind:

    • If you have a group called 'Admins' in your own identity provider, Tosca adds all members to the default 'Admins' group in Tricentis User Administration. This means these users automatically get admin rights to Tricentis User Administration. If you don't want this, you need to make changes in your own system: rename the group or remove members. You can't rename the default 'Admins' group in Tricentis User Administration.

    • If there's no matching group in Tricentis User Administration, Tosca creates the user without group membership. You can then manually assign them to any group.

Set up SSO in Tricentis User Administration

Once you've prepared for SSO, you can set it up in Tricentis User Administration:

  1. Open Tricentis User Administration and go to Settings.

  2. Turn on the Enable Single Sign On toggle.

  3. Enter the name of your Identity Provider (IdP).

  4. Define your IdP metadata source in one of the following ways:

    • Enter the URL of your metadata.

    • Upload the metadata XML file.

    We recommend that you use the URL option to reduce maintenance effort. If you use the file option and settings change, you have to generate a new file and upload it.

  5. If you enabled the user group mapping functionality, perform these additional tasks:

    • Select Automatically map users to user groups.

    • Enter the name of the source attribute that defines group membership in your identity provider. This varies between providers, so if you don't know the name, check your provider's documentation.

What's next

If you use Tricentis User Administration for authorization, organize your users into user groups, if you haven't yet. Once you have your groups, assign them to your Tosca test projects to grant access.

If you use Tricentis User Administration for authentication, you're good. Check the Tricentis Tosca setup guide. Maybe there's something else you still need to do?