Single Sign-On (SSO) Integration with ADFS Active Directory Federation Services

This article will walk you through setting up an SSO integration with ADFS.

Update the SSL certificate before configuring your IdP

qTest Manager SSO Service Provider (SP) uses an x509 certificate to sign authentication requests and decrypt SAML assertions. As part of qTest Manager's security process, we update our SP certificate every three years in August. qTest Manager will notify you when the certificate is due to expire.

If you are setting up an SSO integration for the first time for either an SaaS or OnPremises 9.7.2 or later environment, refer to Update qTest Manager SSO Service Provider Certificate on SSO IdP for information on updating the SSL certificate before configuring your IdP.

Configure your SSO Integration in qTest

1. In qTest, hover over your username and select Administration from the drop-down.

2. The Site Administration page loads. Select the Authentication tab.

3. Select SSO from the left Authentication Systems panel.

4. It is optional to enter a name for your IdP.

5. You must enter a URL to your IdP metadata. Alternatively, you can upload a metadata XML file from your local machine. Remember to enter the IdP Metadata link using the following format: https://[your ADFS URL]/FederationMetadata/2007-06/FederationMetadata.xml

6. Select the Create new account on qTest upon user's first login check box to allow users to create their qTest accounts. This will save time and effort because you will not need to invite or update many users. This option will be explained below in the next section.

7. Switch the Activation status on using the On Off tab.

8. Select the Save button to save the configuration.

• You will need to switch off the integration with your LDAP systems to enable SSO integration.

Configure ADFS Active Directory Federation Services

Check Federation Service Properties

The Web SSO lifetime should not be greater than 480 minutes.

Add a Relying Party Trust

1. In the left pane, select Add Relying Party Trust.

   
   

2. On the Welcome page of Add Relying Party Trust Wizard, select Start.

3. At the Select Data Source step, select the Import data option about the relying party published online or on a local network and enter this URL: https://[your qTest URL]/saml/metadata.

4. At the Specify Display Name step, enter any name for the Relying Party (such as qTest SSO).

5. Proceed to the last step to complete adding a Relying Party Trust.

Edit Newly added Relying Party Trust

1. After it has been created successfully, right-click and select Properties to edit.

2. On the Identifiers tab of the Properties dialog, view the identifier URL (https://[qTest URL]/saml/metadata).

   

3. On the Monitoring tab of the Properties dialog, edit the federation metadata URL and ensure it is the same as the identifier URL (https://[qTest URL]/saml/metadata).

   

4. In the Advanced tab, select SHA-256secure algorithm.

5. Select the Apply icon, and close the dialog box.

Edit Claim Rules of Newly Added Relying Party Trust

1. Right-click and select Edit Claim Rules.

2. Add a claim rule as described below.

   • Claim Rule Name: NameID

   • Attribute Store: Active Directory

   • Map the LDAP attribute with qTest field as in the image shown below.

     

     

3. Add another claim rule. This one is not required.

   • Claim Rule Name: Attributes

   • Attribute Store: Active Directory

   • Map the following qTest Manager fields with any suitable LDAP attributes: user.firstname, user.lastname, and user.email.