Single Sign-On (SSO) Integration with Microsoft Azure Active Directory

This feature allows users to log in to qTest with their SSO credentials. As a site administrator, you can configure your SSO integration with Microsoft Azure Active Directory using the instructions below. Once you have configured the SSO integration, you can enable SSO log in for qTest users.

For instructions on integrating SSO with other services, refer to Single Sign-On (SSO) Integration.

Update the SSL certificate before configuring your IdP

qTest Manager SSO Service Provider (SP) uses an x509 certificate to sign authentication requests and decrypt SAML assertions. As part of qTest Manager's security process, we update our SP certificate every three years in August. qTest Manager will notify you when the certificate is due to expire.

If you are setting up an SSO integration for the first time for either an SaaS or OnPremises 9.7.2 or later environment, refer to Update qTest Manager SSO Service Provider Certificate on SSO IdP for information on updating the SSL certificate before configuring your IdP.

Configure qTest to your Identity Provider (IdP)

To add your qTest instance as an application on your IdP, you need to:

  1. Locate the URLs and attributes needed to configure the SAML application.

  2. Configure your IdP with Azure Active Directory.

  3. Configure your SSO Integration in qTest.

  4. Run the Service Provider with the SP-Initiated SSO.

Locate the URLs and attributes needed to configure the SAML application

The qTest SSO URLs and attributes are used when configuring your IdP in the Configure your IdP with Azure Active Directory and Configure your SSO Integration in qTest sections.

  1. In qTest, hover your cursor over your username. Then select Administration on the menu that appears.

  2. Click the Authentication tab.

  3. In the Authentication Systems panel, select SSO.

    The External systems - Single Sign-On (SSO) screen appears. The URLs required for configuring your IdP are highlighted in the SSO section. The attributes needed for mapping are located in the Configuration section.

    URLs.png

Configure your IdP with Azure Active Directory

Configuring your IdP with Azure Active Directory includes the following steps.

Configure basic SAML settings in Azure

  1. In a separate browser window, access your Azure instance. Then navigate using the following options: Enterprise Applications > New Application > Create Your Own Application > Single Sign-On > SAML.

  2. In the Basic SAML Configuration section, click the Edit icon to display a screen where you can enter the URLs you obtained in the Locate the URLs and attributes needed to configure the SAML application section.

  3. In the Identifier (Entity ID) field, enter your Audience URL.

  4. In the Reply URL (Assertion Consumer Service URL) field, enter your Single Sign On URL.

Map qTest attributes to Azure attributes

  1. Access the User Attributes & Claims screen.

    For information about using Microsoft Azure Active Directory and accessing the User Attributes & Claims screen, refer to the Microsoft support site.

  2. On the User Attributes & Claims screen, click Add new claim to map the Azure attributes to the qTest attributes.

    • In the Name field, enter the attribute value.

    • Delete the entry in the Namespace field.

    • In the Source field, select the appropriate source attribute.

    Repeat this step for each attribute, including the user's email address, first name, and last name.

Assign users in Azure

  1. Assign a user to Administrator roles in Azure.

    For information on assigning administrator and non-administrator roles to users with Azure Active Directory, refer to the Microsoft support site.

  2. Assign a user or a group to an Enterprise App in the Azure Active Directory.

    For information on assigning users to an app in Azure Active Directory, refer to the Microsoft support site.

Download Azure metadata

  • Download the metadata by selecting the Metadata XML link to download and copy it to the qTest server folder.

    For example: c:\Users\johnsmith\Downloads\qTest.xml

Configure your SSO Integration in qTest

  1. In qTest, hover your cursor over your username. Then select Administration on the menu that appears.

  2. Click the Authentication tab.

  3. In the Authentication Systems panel, select SSO.

    The External systems - Single Sign-On (SSO) screen appears.

  4. (Optional) In the IdP name field, enter a name for your IdP.

  5. In the IdP Metadata link field, enter a URL to your IdP metadata. Alternatively, you can upload a metadata XML file from your local machine.

  6. Select the Create new account on qTest upon user's first login check box to allow users to create their qTest accounts. This option can help save time and effort by preventing the need to invite or update users.

  7. Click the Activation status button to turn the activation status to ON.

  8. Click Save to save the configuration.

Run the Service Provider with the SP-Initiated SSO

  1. On the qTest log in page, click the SSO log in option.

    sso_login.png

  2. The Azure Identity Provider Log in screen appears. Log in using your Azure Active Directory credentials.

    prompt.png

    The default screen for the qTest Service Provider appears.

    last_one.png

Enable SSO Log in for a qTest User

To log in to qTest Manager with SSO, a user will need an SSO account and an associated qTest account. There are two ways to enable SSO log in for a qTest user: update an existing user manually or allow users to create associated qTest Manager accounts upon their first log in.

If qTest retrieves user emails from the IdP and there is an existing qTest Manager account (authenticated by qTest) with the same email address, the user is allowed to associate the SSO account with the qTest Manager account. If the email address is manually input or the qTest Manager account is authenticated by SSO, the user will not be allowed to do so.

(Suggested method) Allow SSO users to create associated qTest Manager accounts on first log in

  1. In your IdP, grant users permission to access qTest Manager.

  2. In qTest Manager, hover your cursor over your username. Then select Administration on the menu that appears.

  3. Click the Authentication tab.

  4. In the Authentication Systems panel, select SSO.

    The External systems - Single Sign-On (SSO) screen appears.

  5. In the Configuration section, select the Create new account on qTest upon user's first login check box.

    When users log in to qTest Manager for the first time, they will then need to create an associated qTest Manager account.

Update an existing qTest user

  1. In qTest, hover your cursor over your username. Then select Administration on the menu that appears.

  2. Click the Licenses tab.

  3. In the Authentication System column for the user you want to update, click the Edit icon .

  4. In the drop-down menu that appears, select SSO.

  5. In the SSO Username field for the user, enter the user's corresponding SSO username.

    The user will receive an email notifying them of the authentication change.