Enable Single Sign-On for Tricentis User Administration

Tricentis User Administration allows you to centrally manage users across multiple projects, which saves time and effort as your testing projects scale.

As a first step, you need to choose how to create users in Tricentis User Administration.

This topic explains how to create users by enabling Single Sign-On (SSO). With this option, you use your third-party provider to manage user access. Users can then sign in with their existing credentials.

What's in this topic?

This topic is for administrators. It has all the information you need to complete the following tasks:

Understand supported providers and flows.
Prepare for SSO.
Set up SSO in Tricentis User Administration.
Enable signed SAML requests

Understand supported providers and flows

Keep the following in mind:

Tosca supports all identity providers that use Security Assertion Markup Language 2.0 (SAML 2.0).
Tosca only supports Service Provider Initiated SSO flows. This means users have to sign in via the SSO button.
Tosca only displays users in Tricentis User Administration after they sign in for the first time. It doesn't import and display all users at once.
Tosca supports automatic user group mapping for Microsoft Entra ID. User group mapping links groups of the same name in Microsoft Entra ID and Tricentis User Administration, and automatically adds users to the Tricentis User Administration groups when they sign in.

Prepare for SSO

Before you can set up SSO, you need to make sure that your identity provider and Tricentis User Administration are ready to sync.

To prepare your SAML 2.0 identity provider, follow these steps:

Define the email, name, and sub claim within your identity provider.
Configure the Identifier (Entity ID) as http(s)://<Tosca Server address>/saml.
Configure the Reply URL (Assertion Consumer Service (ACS) URL) as http(s)://<Tosca Server>/signin-saml.

How you do this depends on your provider. For an example on how to prepare Okta, check out this Tricentis Knowledge Base article (opens in new tab).

To prepare Tricentis User Administration, you need to create user groups. You can add users to these groups after you set up SSO and they sign in, or you can enable user group mapping to automatically add users to Tricentis User Administration groups.

Map user groups

User group mapping links groups of the same name in your identity provider and Tricentis User Administration. That way, Tricentis User Administration automatically adds users who are members of the identity provider group to the group of the same name in Tricentis User Administration when they log in.

User group mapping works with the identity provider Microsoft Entra ID. This feature may not work as intended with other identity providers.

To get ready for user group mapping, perform any preparatory tasks you might need in your own identity provider. These could be cleaning up groups or creating additional ones to line them up with Tosca groups. As you prepare your identity provider, keep in mind the following:

If there is a group with the name 'Admins' in your identity provider, Tosca adds all members to the default 'Admins' group in Tricentis User Administration. This means these users automatically get admin rights to Tricentis User Administration. If you don't want this, you need to make changes in your own system: rename the group or remove members. You can't rename the default 'Admins' group in Tricentis User Administration.
If a user in your identity provider has no matching group in Tricentis User Administration, Tosca creates the user without group membership. You can then update the user's groups from your identity provider.

Set up SSO in Tricentis User Administration

Once you've prepared for SSO, you can set it up in Tricentis User Administration:

Open Tricentis User Administration and go to Settings.
Turn on the Enable Single Sign On toggle.
Enter the name of your Identity Provider (IdP).
Define your IdP metadata source in one of the following ways:
- Enter the URL of your metadata.
- Upload the metadata XML file.
We recommend that you use the URL option to reduce maintenance effort. If you use the file option and settings change, you have to generate a new file and upload it.
Optionally, turn on user group mapping to automatically add users to groups when they log in:
- Select Automatically map users to user groups.
- Enter the name of the source attribute that defines group membership in your identity provider. This varies between providers, so if you don't know the name, check your provider's documentation.

Enable signed SAML requests

After you set up SSO for Tricentis User Administration, you can upgrade your security with SAML signed certificates. If your identity provider requires signed certificates to fulfill requests, you need to enable this feature to use SSO.

To enable signed SAML requests, follow these steps:

Open the appsettings.json configuration file for the authentication service. After a default installation, this file is located at C:\Program Files (x86)\TRICENTIS\Tosca Server\AuthenticationService.
Fill in these configuration attributes:
- IdPSignInCertificatePath defines the path to the certificate your identity provider uses for validation.
- SpSignInCertificatePath defines the path to the Tricentis User Administration signing certificate.
- SpSignInCertificatePassword defines the password for the Tricentis User Administration certificate.
- SignInSignatureAlgorithm defines the algorithm Tricentis User Administration uses for signing the requests.
Copy

Configuration example:
```
"SamlOptionalSettings": {
"IdPSignInCertificatePath": "C:\\ProgramData\\Tricentis\\Authentication\\certs\\saml-sp-signing-test.cer",
"SpSignInCertificatePath": "C:\\ProgramData\\Tricentis\\Authentication\\certs\\saml-sp-signing-test.pfx",
"SpSignInCertificatePassword": "VerySecurePassword123",
"SignInSignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 "
}
```
Restart the Tricentis.AuthenticationService in the Windows Services console. The Tricentis.AuthenticationService may fail to restart if there are errors in your configuration.

If there are errors in your configuration, your service requests may return a 500 Internal Server Error instead of a specific explanation as to where the error might be.

What's next

If you use Tricentis User Administration for authorization, organize your users into user groups, if you haven't yet. Once you have your groups, assign them to your Tosca test projects to grant access.

If you use Tricentis User Administration for authentication, you're good. Check the Tricentis Tosca setup guide. Maybe there's something else you still need to do?