Authentication
Testmo supports multiple options how users can authenticate with the application. By default, users simply authenticate with their email address and Testmo password. It is also possible to customize the password policy rules so admins can configure a policy to match their internal guidelines if they prefer.
With Testmo's enterprise subscription plan there are various additional options and features you can use to customize and adjust the authentication. This includes:
- Enabling two-factor authentication for users
- Optionally enforcing and requiring two-factor authentication for all users
- Defining login rules based on user types and user groups
- Configuring external login methods such as Azure AD, SAML, Google, Okta and OneLogin
Regardless of whether users log in to Testmo with their regular Testmo login or with an optionally configured external login method, users always have a user account in Testmo. With the user account Testmo stores important user information such as the name, email address, group assignments and global role of the user. User accounts are also used to calculate the subscription pricing based on how many users were marked as activated.
So with externally configured login methods each user also has a user account in Testmo. Admins can choose to create new user accounts themselves manually (so you can specify exactly who can access Testmo) or external login methods can be configured to automatically create new accounts when a user logs in for the fist time (see auto-provisioning below).
User accounts can be added one by one or you can use the convenient bulk add feature from the Admin > Users & roles page to import and invite many users at once.
Two-factor authentication can be enabled for users on the Admin > Authentication page for Enterprise plan customers. Once enabled, users can switch on two-factor authentication for their login from their profile page. Testmo uses OTP for two-factor authentication so users scan a QR code with an OTP app such as Google Authenticator during setup. Additionally, Testmo shows a list of backup codes users need to store.
Once two-factor authentication is switched on, Testmo asks users to enter a verification code when they log in to Testmo. Note that this is only the case when users log in with Testmo's internal login method. If you configure and use external login methods, make sure to enable two-factor authentication with the external login provider instead.
You can also enforce two-factor authentication for the internal logins for all users. If users access Testmo without two-factor authentication enabled, they are redirected and restricted to their profile page to enable it.
Testmo's Enterprise plan also supports additional login methods. The internal login method allows users to log in with their email address and password and this is the default login method enabled for all users.
External login methods allow you to integrate Testmo with your identity provider so you can manage logins in one central place, such as Azure AD, SAML, Google etc. When you add and configure an external login method, you can specify which user types or groups can use this method (see below). Currently Testmo supports the following authentication providers:
If you configure additional login methods, users can choose the login method when accessing Testmo.
Choosing the login method
How are external users linked to Testmo accounts?
Every user also always has a Testmo user account, regardless of how they log in. This is important so you can easily manage Testmo permissions, assign tests etc. When users log in to Testmo, Testmo finds the correct user account based on the email address. So if you change the email address in the external system, make sure to also change the email for the Testmo account.
Testmo differentiates between its internal login method (via email and password) and external logins. You can define which user types and/or user groups can use which login method via login rules. Here is how it works:
- Internal login method From Admin > Authentication, click the Login rules button in the Internal section. You can then select which user types and/or groups can log in to Testmo with the internal login method. The first rule that matches for a user applies. Site admins can always log in to Testmo with the internal login method, ensuring that the authentication options can be changed in case an external login method is not available.
- External login methods When adding external login methods, you can define which user types and groups can use this method. For example, you can create a user group in Testmo for a specific team in your organization and then only allow this team to login with e.g. GitHub OAuth. You can configure rules from the Rules & access tab in the Add/Edit login method dialog.
With external login methods it can be useful to enable auto-provisioning. Auto-provisioning means that when users log in to Testmo for the first time, and they do not have a Testmo account yet, Testmo automatically creates an account. This is a convenient way to automatically allow users to log in to Testmo without creating an account first.
You can configure auto-provisioning when adding or editing an external login method from the the Provisioning & users tab. From the same tab you can also configure the default access and groups of newly created users.
User accounts & subscriptions
Please note that all users that you add to Testmo are counted for the subscription fees. So consider that automatically created user accounts are also counted for the subscription fee when you enable auto-provisioning.
Important security considerations
When configuring auto-provisioning, make sure to limit this feature to email domains of your own organization. Especially with public/global login methods such as GitHub and Google OAuth, it's important to only allow users from your own email domain and no public domain.
Last modified 10mo ago