Update qTest Manager SSO Service Provider Certificate on SSO IdP

qTest Manager SSO Service Provider (SP) uses an x509 certificate to sign authentication requests and decrypt SAML assertions. As part of qTest Manager's security process, we update our SP certificate every three years in May. qTest Manager will notify you when the certificate is due to expire.

If you configured your IDP to pull SP metadata automatically, you will not be impacted by the certificate update. No action is required on your part to update your SSO IdP.

If you are using SAML with an Identity Provider (IdP) that is not configured to refresh the SP metadata automatically, you must follow the instructions below, otherwise, you will not be able to access qTest Manager using SSO Login until you update the certificate in your IdP.

Prerequisites

Before updating qTest Manager SSO Service Provider certificate, we recommend you have at least one Administrator user who can successfully log in using qTest Manager internal authentication instead of SSO credentials. To do so, follow these instructions:

  1. From Administration, select the Licenses tab.

  2. Locate the Administrator username you want to transition to internal login.

  3. In the Authentication column, change the selection from SSO to Internal.

  4. Select the Action icon, and then select Reset password.

  5. Reset the password. This step will ensure the Administrator user has a current username/password combination, in the event the previous password used can not be remembered. Now, this user is converted from SSO to Internal authentication with fresh log in credentials.

How to Begin

There are three possible scenarios for how your organization configured the IdP when not using the 'refresh the SP metadata automatically' option. If you configured your SAML IdP by:

  • Scenario 1: Manually inputted SP information and uploading the certificate from a static file (.crt), or

  • Scenario 2: Manually added SP metadata file (.xml) containing the certificate, or

  • Scenario 3: (Most common) Added SP metadata URL (Audience URL) but did not enable 'refresh the SP metadata automatically' option.

Follow the instructions below to locate your metadata certificate, that is associated with your current configuration.

Locate the Updated SP Metadata File

Scenario 1:

When using the Certificate from a static file (.crt) you must download the latest certificate and replace it on the IDP. Download the new certificate file from here.

If you have not updated your certificate file since August 3rd, 2022, you need to do so via the link above. The previously downloaded certificate file expires on August 26, 2022 if not updated.

Scenarios 2 and 3:

  1. In qTest, hover over your username and select Administration.

  2. The Site Administration page loads. Select the Authentication tab.

  3. Select SSO from the left Authentication Systems panel.

  4. Copy the latest SP metadata URL (Audience URL).

    Scenario 2 ONLY: If your organization chose to manually add SP metadata file (.xml) to your IdP, you will follow the same instructions above to locate the latest SP metadata file. However, you would open the metadata URL in another browser window to download SP metadata file in XML format and replace it on the IDP.

This is where the qTest Manager corresponds to the latest SP metadata file.

SaaS Example:

  • If your qTest Manager site name is "https://qasymphony.qtestnet.com" then the latest SP metadata URL would be https://qasymphony.qtestnet.com/saml/metadata

OnPremises Examples:

  • if your qTest Manager site name is "https://myqtestonpremise.mycompany.com" then the latest SP metadata URL would be https://myqtestonpremise.mycompany.com/saml/metadata

  • if your qTest Manager site name is "http://192.168.9.9:8080" then the latest SP metadata URL would be http://192.168.9.9:8080/saml/metadata

Update the SP Metadata on SSO IdP

Microsoft Active Directory Federation Services (ADFS)

This section describes how to manually update the SP metadata for Microsoft Active Directory Federation Services (ADFS) that have already added SP metadata URL (Audience URL) but did not enable 'Automatically update relying party' option (Scenario 3).

Update the Certificate Metadata when using Monitor Relying Party

If you have set up your ADFS instance to monitor relying party (qTest Manager), then refresh the metadata by clicking the option Update from Federation Metadata available within the ADFS management tool.

Validate the Updated Certificate

Verify Effective date and Expiration date are updated on the Encryption tab on associated Relying Party Trust configuration as following:

All Other IdPs

For all other IDPs, please see the appropriate IDP documentation below. You will need to update (refresh) your metadata or certificate file replacement.