Azure & AD

Testmo can be integrated with Microsoft Azure Active Directory (Azure AD) via SAML so users can login to Testmo with their directory account. Testmo supports configuring multiple login methods, so you can integrate different identity providers (as well as internal Testmo logins) at the same time. This guide explains how to configure the integration in Testmo and Azure AD.

Testmo Enterprise feature

Single sign-on integration is a Testmo Enterprise-only feature. To use the Azure AD SAML integration, please ensure that you are using Testmo Enterprise. If you are unsure about your subscription (or want to try the integration with a trial), please contact us.

Configuring the Azure AD SAML integration

To configure the integration between both tools, you need to configure it both in Testmo and in Azure AD. The Testmo and Azure AD integration uses SAML as the authentication protocol.

We start by configuring the integration in Azure AD. Open the Azure portal and select Azure Active Directory to access its management pages. There, from the left Manage section select Enterprise applications.

  • Click + New application (at the top)

  • From the Browse Azure AD Gallery page, click + Create your own application (at the top)

  • Enter the name of the integration (e.g. Testmo), select Integrate any other application you don't find in the gallery (Non-gallery) and click Create

Next, from the applications' configuration page, select Users and groups in the left sidebar and assign any Azure AD groups or users who should be able to use the integration.

Then select Single sign-on in the left sidebar and click on the SAML card to configure the SAML settings. Configure these details:

  • Basic SAML Configuration (click Edit)

    • Identifier (Entity ID): Your Testmo web address (i.e. https://<yourname>

      • Also remove the default entry

    • Reply URL: Enter your Testmo web address plus /auth/saml/login/. I.e.:

    • Sign on URL: Also enter your Testmo web address here

    • Click Save and close the dialog with the X icon

  • Attributes & Claims (click Edit)

    • We need to configure three attributes that will be sent to Testmo when a user logs in. Start by removing the default attributes. We then add the following attributes (click + Add new claim):

    • ID attribute:

      • Name: id (important: all lower case)

      • Namespace: Needs to be empty

      • Source: Attribute

      • Source attribute: user.userprincipalname

    • Name attribute:

      • Name: name (important: all lower case)

      • Namespace: Needs to be empty

      • Source: Attribute

      • Source attribute: user.displayname

    • Email attribute:

      • Name: email (important: all lower case)

      • Namespace: Needs to be empty

      • Source: Attribute

      • Source attribute: user.mail

  • Close the dialog with the X icon

  • From the SAML Signing Certificate section, click Download next to Certificate (Base64). You will need this certificate when configuring the integration in Testmo in a moment.

  • From the Set up Testmo section we will need to copy a few settings for the Testmo integration settings, specifically:

    • Azure AD Identifier: This will be the SAML entity ID in Testmo

    • Login URL: This will be the SAML single sign-on URL in Testmo

We continue with the configuration in Testmo. In Testmo, go to Admin > Authentication. In the External section, click + Login method. Then enter these details in the Add login method dialog:

  • Name: The name of the login method. This is the name displayed on the login page to choose a login method for users. You could call it Azure AD, for example.

  • Provider: Select Azure AD (SAML)

  • SAML entity ID: Copy the above Azure AD Identifier from Azure here

  • SAML single sign-on URL: Copy the above Login URL from Azure here

  • SAML public certificate (X509): Open the above downloaded certificate file in a text editor and copy the entire certificate (including BEGIN CERTIFICATE and END CERTIFICATE) here

  • SAML claims

    • ID claim: Leave default value of id

    • Name claim: Leave default value of name

    • Email claim: Leave default value of email

Restricting Azure AD to certain user groups

Testmo supports restricting specific login methods to certain user groups. For example, you can configure one login method to support only a specific user group, while another login method can be used by all users etc. Learn more about authentication login rules.

Auto-provisioning new users

You can optionally also auto-provision new users. So if a user logs in for the first time and you enable auto-provisioning, Testmo automatically creates a Testmo account for the user. Learn more about auto-provisioning.

Logging in to Testmo with Azure AD

When multiple login methods are configured in Testmo, users can choose a login method from Testmo's login page. The internal Testmo login is also always available. Depending on the authentication login rules you configure, some login methods might only be allowed for certain user groups.

The internal Testmo login method is always enabled at least for Testmo admin users. This way admin users can always log in to Testmo, even if an external authentication system is having issues.

Disabling the integration

You can disable the Azure AD integration at any time. To do so, we recommend disabling or removing the integration both in Testmo and in Azure:

  • In Testmo, go to Admin > Authentication and either disable or remove the login method. Make sure that another login method is configured for the users who previously logged in with Azure AD and notify the users about the change.

  • In Azure AD, delete the configured Testmo application.

Last updated