Set up single sign-on

Single sign-on (SSO) allows you to use your chosen internal identity provider for user access management.

Tosca Cloud uses Okta as the identity provider for user access management. If you want to use your own identity provider, set up SSO so that your team can access Tosca Cloud with their standard credentials.

There are a few different ways to set up SSO. Follow the instructions for the SSO protocol you'd like to use.

Security Assertion Markup Language (SAML) protocol is often favored by enterprise and federal organizations.

Before you start

There are a few things to check before you jump into the setup process:

  • Your internal identity provider must use SAML 2.0 protocol.

  • You must be an admin user in Tosca Cloud.

Set up

After you've met the prerequisites, follow these steps to set up SSO:

  1. Open a support ticket (opens in new tab) with Tricentis or reach out to Tricentis Customer Support and request to set up SSO with SAML. The customer support agent generates two custom pieces of information for your Tosca Cloud organization and shares them with you:

    • Service provider identifier (Entity ID)

    • Reply URL (Assertion Consumer Service URL)

  2. Create a new application integration in your identity provider. The setup varies by provider, but the following steps are mandatory:

    • For the sign in method, choose SAML 2.0.

    • Map user profile fields on your side to the corresponding claims on our side. Each of these claims is mandatory and must have a value:

      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    • Optionally, if you would like to sync user groups from your identity provider to Tosca Cloud, add this claim. Filter for groups you want to sync to Tosca Cloud and then ensure that the claim value exactly matches the names of the user groups.

      http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

  3. If you'd like to include more than these fields, please reach out to your customer support agent, as we'll need to map these additional fields on our side as well.

  4. Add the identifier (Entity ID) and Reply URL you received from the customer support agent.

  5. Assign the application to all users that should have Tosca Cloud access.

  6. Access the details or overview page of the new application integration you just created.

  7. Find the metadata file and check that it contains a certificate for IdP verification. Either download the metadata file or copy the link to it, then share it with the customer support agent.

We’ll complete the setup for you. After that, Tosca Cloud relays each sign in to your identity provider for authorization.

Open ID connect protocol is most often used for web and mobile applications.

Before you start

There are a few things to check before you jump into the setup process:

  • Your internal identity provider must use OpenID Connect protocol.

  • You must be an admin user in Tosca Cloud.

Set up

  1. Open a support ticket (opens in new tab) with Tricentis or reach out to the Tricentis Customer Support team at support@tricentis.com and request to set up SSO with OpenID Connect. You'll receive the following pieces of information from the support agent:

    • Redirect URI

    • Public key

    If you lose product access while we're setting up, wait a moment and refresh the page.

  2. Create a new application integration in your identity provider. The setup varies by provider, but the following steps are mandatory.

  3. For the sign in method, choose Open ID Connect (OIDC).

  4. For the application type, choose Web application.

  5. For the client authentication method, choose Public key/Private key and add the public key provided by the customer support agent.

  6. Add the redirect URI you received from the customer support agent.

  7. Map user profile fields on your side to the corresponding user profile fields on our side. Each field is mandatory and must have a value. Here are the user profile fields on our side:

    • given_name

    • family_name

    • email

    If you'd like to include more fields, please reach out to your customer support agent, as we'll need to map these additional fields on our side as well.

  8. Assign the application to all users that should have Tosca Cloud access.

  9. Some identity providers also require you to create an access policy and add a rule to allow your authorization server to access the application. Create these, if required, then save.

  10. Access the details or overview page of the new application integration you just created. Provide the customer support agent with values for the following fields:

    • Client ID

    • Issuer

    • Authorization endpoint

    • Token endpoint

    • User info endpoint

We'll complete the setup for you. After that, Tosca Cloud relays each sign in to your identity provider for authorization.