Single Sign-On (SSO) Integration with Ping Federate

qTest Manager offers an integration with Ping Federate SSO. In this article, we are going to walk through how to set up this integration.

This article walks through setting up an integration between qTest and Ping Federate 9.2.11 OnPremise version. The UI and workflow may be different if integrating qTest and a different version of Ping Federate.

Important Announcement for new SSO Integrations

qTest Manager SSO Service Provider (SP) uses an x509 certificate to sign authentication requests and decrypt SAML assertions. As part of qTest Manager's security process, we update our SP certificate every 3 years in August. The current certificate expires September 9, 2019.

If you are using:

  • any version of qTest OnPremise that is 9.7.1 or earlier

  • and setting up an SSO integration for the very first time

You must update the SSL certificate in each Manager server before configuring your IdP.

Create a New Connection

Before configuring your integration, you will need to create a brand new connection from within Ping Federate. To do so, follow these steps:

  1. Access your Ping Federate instance.

  2. Choose the Identity Provider tab from the left-hand menu.

  3. On the "Identity Provider" page, select the Create New icon.

You are then brought to the Connection Configuration UI. Follow these steps to properly configure and create your new connection:

  1. For Connection Type and Connection Options, retain the default settings.

  2. Within the Import Metadata tab, select URL for the "METADATA" option.

  3. Select Manage Partner Data URLs.

You will then be brought to the "SP Connection / Partner Metadata" page to manage your Partner Data URLs.

Manage your Partner Data URLs

  1. Select the Add New URL icon.

  2. Within the URL tab, do the following:

    • enter your qTest Metadata link in the URL field.

    • select the Validate Metadata Signature.

  3. Keep the "Certificate Summary" section as is. Select Next.

  4. Verify your Summary and select Done.

  5. You are brought back to the SP Connection page. Here, in the Import Metadata tab, select the metadata file name that you have already defined.

  6. Select the Load Metadata icon.

  7. Review your Metadata information, and select FULL as your Logging Mode.

  8. Select Next.

Configure Your Browser SSO

You are then brought to the Browser SSO tab. Follow the steps below to configure your Browser SSO:

  1. Select the Configure Browser SSO icon.

  2. In the Assertion Lifetime tab, select the check-boxes associated with both IDP- and SP-Initiated SSO. Select Next.

  3. Define your assertion lifetime as according to your internal policies. Select Next.

  4. In the Assertion Creation tab, select the Configure Assertion Creation icon.

  5. On the "Assertion Creation" page, select the Standard Option.

  6. Add attributes as defined below:

  7. Select Next.

You will then need to Map your Adapter instance. To do so, follow the steps below:

  1. In the Authentication Source Mapping tab, select the Map New Adapter Instance icon.

  2. Choose a defined Adapter instance with your LDAP. Select Next.

  3. In the Mapping Method tab, choose the Use Only the Adapter Contract values in the SAML Assertion option.

  4. Within the Attribute Contract Fulfillment tab, define your attributes as follows:

  5. Skip the Issuance Criteria by selecting Next.

  6. Review your IdP Adapter Mapping. Select Done.

  7. You are brought back to the Activation Source Mapping tab. Here, select Next to review your summary.

  8. After reviewing your summary, select Done.

  9. Review your Assertion Creation and select Next.

Configure Protocol Settings

You will then have to configure your Protocol Settings. Follow these steps:

  1. Review your Protocol Settings. Select Next.

  2. Select Next again.

  3. Define your Remote Party URL as the following:

    /SAML2/ARL/Artifact

  4. In the Signature Policy tab, choose Sign Response as Required. Select Next.

  5. For the Encryption Policy, select None.

  6. Review your Protocol Settings Summary and select Done when finished.

Define your Credentials

Next, you will need to define your Credentials. Follow the steps as outlined below:

  1. In the Credentials tab, choose the Configure Credentials icon.

  2. Configure both options for Back-Channel Authentication.

  3. Select Digital Signature for both Outbound and Inbound SOAP.

  4. Select Next.

  5. In the Digital Signature Settings tab, choose the following for your Signing Certificate and Signing Algorithm:

  6. In the Signature Verification Settings tab, select Manage Signature Verification Settings.

  7. Select the Unanchored option for your Certificate.

  8. Review your Signature Verification and select Done.

  9. Then, enable and save the newly created SP Connection.

Metadata Export

Now that you have configured your integration, you can export your Metadata to qTest. To do so, follow the steps as outlined below:

  1. Access your System Settings and choose Metadata Export.

  2. Within the Metadata Role tab, select I am the IDP. Select Next.

  3. Select Use a connection for Metadata Generation. Select Next.

  4. In the Connection Metadata tab, Select the SP connection you create with qTest. Select Next.

  5. Select Signing Certificate. Select Next.

  6. Review and Export Metadata file from Ping.

Add Metadata to qTest

Once you have downloaded your Ping Metadata, you will need to upload that file to qTest. To do so, follow these steps:

  1. in qTest Manager, select Administration from your username drop-down menu.

  2. Select the Authentication tab.

  3. In the left-hand nav menu, SSO.

  4. In the Configuration section, upload your Ping Metadata file.

  5. Toggle the Activation Status to ON.

  6. Save and Refresh your page.

You have now successfully configured your integration between qTest and Ping Federate.

Optional Configuration Option

Define Custom Mapping Attributes for SSO Integration

Site Admins have the ability to define custom mapping attributes for your SSO Integration. The attribute values are prepopulated by default, with the values below:

  • user.email

  • user.firstname

  • user.lastname

If you choose to change a default attribute value, to a custom mapping, qTest will use the new values to retrieve data from SAML responses.