Custom SAML

Testmo support SAML 2.0 so users can log in to Testmo with an identity provider (IdP) that implements this protocol. We have tested and documented the integration with the following providers and other providers implementing SAML 2.0 should also work:

Testmo Enterprise feature

Single sign-on integration is a Testmo Enterprise-only feature. To use the SAML integration, please ensure that you are using Testmo Enterprise. If you are unsure about your subscription (or want to try the integration with a trial), please contact us.

Configuring the SAML 2.0 integration

You need to configure the SAML integration in both tools, i.e. in Testmo and in your identity provider (IdP) tool or service. The following details provide an overview of the settings you need for both sides. If you are unsure what settings your specific IdP requires, please get in touch with your provider's support team.

Configuring SAML in the IdP

Every IdP uses slightly different terminology for the required settings. So in the configuration settings of your IdP the options might be called slightly differently. Some settings might also not be required or are not available, depending on how your provider implements SAML. When adding a new SAML application in your IdP, you usually need to configure these settings:

  • SSO URL or ACS URL or Reply URL: Enter your Testmo web address plus /auth/saml/login/<method-id>. I.e.:

    https://<yourname>.testmo.net/auth/saml/login/<method-id>

    Important: You will need to update this address and add the login method ID of the Testmo integration after you configure it in Testmo (see below)! You might need to configure the integration without the ID first, and then come back and update it with the ID after adding the integration in Testmo below.

  • Entity ID: Your Testmo web address (i.e. https://<yourname>.testmo.net), without the ending slash (/)

  • Login URL or SP-initiated URL: Your Testmo web address

Note that Testmo does not use SAML logout URLs and does not use IdP-initiated workflows for security reasons.

You will also need to configure SAML claim attributes in your provider (sometimes also called parameters or just claims). These attributes are then sent to Testmo when a user logs in. Testmo needs a unique user ID (e.g. the unique login or email address for a user in your provider's directory), the user's email address and the full name. You need to configure the claim attributes / parameters like this:

  • ID parameter:

    • Name: id (important: all lower case)

    • Value: A unique user identifier, e.g. the login or email

  • Name parameter:

    • Name: name (important: all lower case)

    • Value: The full name of the user

  • Email parameter:

    • Name: email (important: all lower case)

    • Value: The email address of the user

If your provider does not support an attribute value with the full name, you can alternatively create two separate attributes with the first and last name. Please configure these attributes with the name firstname and lastname and then follow the approach mentioned in the Testmo settings below.

Copying your IdP SAML details

In Testmo you need to enter the SAML details your IdP provides for the integration / application. Specifically you will need to copy these details and enter them in Testmo (see below):

  • SAML entity ID (sometimes also called Issuer ID or URL )

  • SAML single sign-on (SSO) URL (sometimes also called SAML Endpoint or Provider Login URL)

  • The public X509 certificate generated by your provider (in Base64 text format, which most tools use)

Configuring SAML in Testmo

Next continue with the configuration in Testmo. In Testmo, go to Admin > Authentication. In the External section, click + Login method. Then enter these details in the Add login method dialog:

  • Name: The name of the login method. This is the name displayed on the login page to choose a login method for users.

  • Provider: Select Custom (SAML)

  • SAML entity ID: Copy the entity ID from your provider (see above)

  • SAML single sign-on URL: Copy the SSO URL from your provider (see above)

  • SAML public certificate (X509): Copy the certificate from your provider (see above)

  • SAML claims

    • ID claim: You can usually use the default value of id

    • Name claim: You can usually use the default value of name

    • Email claim: You can usually use the default value of email

If your provider does not provide a full name field, but requires separate first name and last name fields, then you can also configure these attributes in your provider. In this case you can reference both variables for the Name claim field by entering this in Testmo (if you called the attributes firstname and lastname in your provider settings):

{firstname} {lastname}

Important: You now need to update the integration in your provider and update the SSO address to include the newly added integration ID from Testmo. First look up the ID of the login method in Testmo. Next to the name of the added login method (under Admin > Authentication) hover your mouse cursor over the info icon. Note the ID shown in the tooltip.

Now in your provider update the SSO URL (or sometimes called ACS URL or Reply URL) using this format (adding the above ID):

https://<yourname>.testmo.net/auth/saml/login/<ID>

Restricting logins to certain user groups

Testmo supports restricting specific login methods to certain user groups. For example, you can configure one login method to support only a specific user group, while another login method can be used by all users etc. Learn more about authentication login rules.

Auto-provisioning new users

You can optionally also auto-provision new users. So if a user logs in for the first time and you enable auto-provisioning, Testmo automatically creates a Testmo account for the user. Learn more about auto-provisioning.

Logging in to Testmo with SAML

When multiple login methods are configured in Testmo, users can choose a login method from Testmo's login page. The internal Testmo login is also always available. Depending on the authentication login rules you configure, some login methods might only be allowed for certain user groups.

The internal Testmo login method is always enabled at least for Testmo admin users. This way admin users can always log in to Testmo, even if an external authentication system is having issues.

Disabling the integration

You can disable the SAML integration for a specific provider at any time. To do so, we recommend disabling or removing the integration both in Testmo and in the provider's settings:

  • In Testmo, go to Admin > Authentication and either disable or remove the login method. Make sure that another login method is configured for the users who previously logged in with this provider and notify the users about the change.

  • In the settings of your provider, delete the configured Testmo application.

Last updated