Single Sign-On (SSO) Integration with Ping Federate

qTest Manager offers an integration with Ping Federate SSO. In this article, we are going to walk through how to set up this integration.

This article walks through setting up an integration between qTest and Ping Federate 9.2.11 OnPremises version. The UI and workflow may be different if integrating qTest and a different version of Ping Federate.

Update the SSL certificate before configuring your IdP

qTest Manager SSO Service Provider (SP) uses an x509 certificate to sign authentication requests and decrypt SAML assertions. As part of qTest Manager's security process, we update our SP certificate every three years in August. qTest Manager will notify you when the certificate is due to expire.

If you are setting up an SSO integration for the first time for either an SaaS or OnPremises 9.7.2 or later environment, refer to Update qTest Manager SSO Service Provider Certificate on SSO IdP for information on updating the SSL certificate before configuring your IdP.

Create a New Connection

Before configuring your integration, you will need to create a brand new connection from within Ping Federate. To do so, follow these steps:

  1. Access your Ping Federate instance.

  2. Choose the Identity Provider tab from the left-hand menu.

  3. On the Identity Provider page, select the Create New icon.

You are then brought to the Connection Configuration UI. Follow these steps to properly configure and create your new connection:

  1. For Connection Type and Connection Options, retain the default settings.

  2. Within the Import Metadata tab, select URL for the Metadata option.

  3. Select Manage Partner Data URLs.

You will then be brought to the SP Connection|Partner Metadata page to manage your Partner Data URLs.

Manage your Partner Data URLs

  1. Select the Add New URL icon.

  2. Within the URL tab, do the following:

    • Enter your qTest Metadata link in the URL field.

    • Select the Validate Metadata Signature check box.

  3. Keep the Certificate Summary section as is. Select Next.

  4. Verify your Summary and select Done.

  5. You are brought back to the SP Connection page. Here, on the Import Metadata tab, select the metadata file name that you have already defined.

  6. Select the Load Metadata button.

  7. Review your Metadata information, and select Full as your Logging Mode.

  8. Select Next.

Configure Your Browser SSO

You are then brought to the Browser SSO tab. Follow the steps below to configure your Browser SSO:

  1. Select the Configure Browser SSO button.

  2. On the Assertion Lifetime tab, select the check-boxes associated with both IDP- and SP-Initiated SSO. Select Next.

  3. Define your assertion lifetime as according to your internal policies. Select Next.

  4. On the Assertion Creation tab, select the Configure Assertion Creation button.

  5. On the Assertion Creation page, select the Standard option.

  6. Add attributes as defined below:

  7. Select Next.

You will then need to Map your Adapter instance. To do so, follow the steps below:

  1. On the Authentication Source Mapping tab, select the Map New Adapter Instance button.

  2. Choose a defined Adapter instance with your LDAP. Select Next.

  3. On the Mapping Method tab, choose the Use Only the Adapter Contract values in the SAML Assertion option.

  4. On the Attribute Contract Fulfillment tab, define your attributes as follows:

  5. Skip the Issuance Criteria by selecting Next.

  6. Review your IdP Adapter Mapping. Select Done.

  7. You are brought back to the Activation Source Mapping tab. Here, select Next to review your summary.

  8. After reviewing your summary, select Done.

  9. Review your Assertion Creation, and then select Next.

Configure Protocol Settings

You will then have to configure your Protocol Settings. Follow these steps:

  1. Review your Protocol Settings. Select Next.

  2. Select Next again.

  3. Define your Remote Party URL as the following:

    /SAML2/ARL/Artifact

  4. On the Signature Policy tab, choose Sign Response as Required. Select Next.

  5. For the Encryption Policy, select None.

  6. Review your Protocol Settings Summary and select Done when finished.

Define your Credentials

Next, you will need to define your Credentials. Follow the steps as outlined below:

  1. On the Credentials tab, choose the Configure Credentials button.

  2. Configure both options for Back-Channel Authentication.

  3. Select Digital Signature for both Outbound and Inbound SOAP.

  4. Select Next.

  5. On the Digital Signature Settings tab, choose the following for your Signing Certificate and Signing Algorithm:

  6. On the Signature Verification Settings tab, select Manage Signature Verification Settings.

  7. Select the Unanchored option for your Certificate.

  8. Review your Signature Verification and select Done.

  9. Then, enable and save the newly created SP Connection.

Metadata Export

Now that you have configured your integration, you can export your Metadata to qTest. To do so, follow the steps as outlined below:

  1. Access your System Settings and choose Metadata Export.

  2. On the Metadata Role tab, select I am the IDP. Select Next.

  3. Select Use a connection for Metadata Generation. Select Next.

  4. On the Connection Metadata tab, Select the SP connection you create with qTest. Select Next.

  5. Select Signing Certificate. Select Next.

  6. Review and Export Metadata file from Ping.

Add Metadata to qTest

Once you have downloaded your Ping Metadata, you will need to upload that file to qTest. To do so, follow these steps:

  1. In qTest Manager, select Administration from your username drop-down menu.

  2. Select the Authentication tab.

  3. In the Authentication Systems panel, select SSO.

  4. In the Configuration section, upload your Ping Metadata file.

  5. Toggle the Activation Status to ON.

  6. Save and Refresh your page.

You have now successfully configured your integration between qTest and Ping Federate.

Optional Configuration Option

Define Custom Mapping Attributes for SSO Integration

Site Admins have the ability to define custom mapping attributes for your SSO Integration. The attribute values are pre-populated by default, with the values below:

  • user.email

  • user.firstname

  • user.lastname

If you choose to change a default attribute value, to a custom mapping, qTest will use the new values to retrieve data from SAML responses.