Set up single sign-on
Single sign-on (SSO) allows you to use your chosen internal identity provider for user access management.
Tosca Cloud uses Okta as the identity provider for user access management. If you want to use your own identity provider, set up SSO so that your team can access Tosca Cloud with their standard credentials.
There are a few different ways to set up SSO. Follow the instructions for the SSO protocol you'd like to use.
Security Assertion Markup Language (SAML) protocol is often favored by enterprise and federal organizations.
Before you start
There are a few things to check before you jump into the setup process:
-
Your internal identity provider must use SAML 2.0 protocol.
-
You must be an admin user in Tosca Cloud.
Set up
After you've met the prerequisites, follow these steps to set up SSO:
-
Open a support ticket (opens in new tab) with Tricentis or reach out to Tricentis Customer Support and request to set up SSO with SAML. The customer support agent generates two custom pieces of information for your Tosca Cloud organization and shares them with you:
-
Service provider identifier (Entity ID)
-
Reply URL (Assertion Consumer Service URL)
-
-
Create a new application integration in your identity provider. The setup varies by provider, but the following steps are mandatory:
-
For the sign in method, choose SAML 2.0.
-
Map user profile fields on your side to the corresponding claims on our side. Each of these claims is mandatory and must have a value:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-
To use your existing identity provider groups in Tosca Cloud when assigning user access and roles, add the following groups claim:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Filter for the groups you want to sync and ensure the claim value exactly matches the user group names in Tosca Cloud.
-
-
Add the identifier (Entity ID) and Reply URL you received from the customer support agent.
-
Assign the application to all users that should have Tosca Cloud access.
-
Access the details or overview page of the new application integration you just created.
-
Find the metadata file and check that it contains a certificate for IdP verification. Either download the metadata file or copy the link to it, then share it with the customer support agent.
We’ll complete the setup for you. After that, Tosca Cloud relays each sign in to your identity provider for authorization.
OpenID Connect protocol is most often used for web and mobile applications.
Before you start
Check these prerequisites before you begin:
-
Your internal identity provider must use OpenID Connect protocol.
-
You must be an admin user in Tosca Cloud.
Set up
After you've met the prerequisites, follow these steps to set up SSO:
-
Open a support ticket (opens in new tab) with Tricentis or reach out to Tricentis Customer Support and request to set up SSO with OpenID Connect. You'll receive the following pieces of information from the customer support agent:
-
Redirect URI
-
Public key
If you lose product access while we're setting up, wait a moment and refresh the page.
-
-
Create a new application integration in your identity provider. The setup varies by provider, but all steps are mandatory:
-
For the sign in method, choose Open ID Connect (OIDC).
-
For the application type, choose Web application.
-
For the client authentication method, choose Public key/Private key and add the public key provided by the customer support agent.
-
Add the redirect URI you received from the customer support agent.
-
-
In your identity provider's claim configuration, map your user profile fields to the field names that Tosca Cloud expects. Each of the following fields is mandatory and must have a value:
-
given_name
-
family_name
-
email
-
-
To use your existing identity provider groups in Tosca Cloud when assigning user access and roles, add the groups field to your identity provider's claim configuration. Your identity provider must include this field in the ID token it emits. Filter for the groups you want to sync and ensure the claim value exactly matches the user group names in Tosca Cloud.
-
Assign the application to all users that should have Tosca Cloud access.
-
Some identity providers also require you to create an access policy and add a rule to allow your authorization server to access the application. Create these, if required, then save.
-
Access the details or overview page of the new application integration you just created.
-
Provide the customer support agent with your client ID and either the OIDC configuration file in JSON format or the values for each of the following fields:
-
Issuer
-
Authorization endpoint
-
Token endpoint
-
User info endpoint (optional)
-
JWKs URI
-
We'll complete the setup for you. After that, Tosca Cloud relays each sign in to your identity provider for authorization.