Okta
Testmo can be integrated with Okta via SAML so users can login to Testmo with their Okta account. Testmo supports configuring multiple login methods, so you can integrate different identity providers (as well as internal Testmo logins) at the same time. This guide explains how to configure the integration in Testmo and Okta.
Testmo Enterprise feature
Single sign-on integration is a Testmo Enterprise-only feature. To use the Okta SAML integration, please ensure that you are using Testmo Enterprise. If you are unsure about your subscription (or want to try the integration with a trial), please contact us.

Configuring the Okta SAML integration

To configure the integration between both tools, you need to configure it both in Testmo and in Okta. The Testmo and Okta integration uses SAML as the authentication protocol.
We start by configuring the integration in Okta. Access Okta and select Applications > Applications from the left sidebar. From there, select Create App Integration:
  • Select SAML 2.0
  • Click Next
Next configure the SAML integration in Okta:
  • For General Settings:
    • App name: Name of the integration in Okta, e.g. Testmo
    • App visibility: Check Do not display application icon to users (see explanation below)
    • App visibility: Check Do not display application icon in the Okta Mobile app (see explanation below)
    • Click Next
  • For Configure SAML:
    • Single sign on URL: Enter your Testmo web address plus /auth/saml/login/. I.e.:
      1
      https://<yourname>.testmo.net/auth/saml/login/
      Copied!
      Important: You will need to update this address here and add the ID of the Testmo integration after you configure it in Testmo in a moment!
    • Audience URI (SP Entity ID): Your Testmo web address (i.e. https://<yourname>.testmo.net), without the ending slash (/)
  • On the same page, Attribute Statements: We need to add three attributes that will be sent to Testmo when a user logs in. Add the following attributes here:
    • ID parameter:
      • Name: id (important: all lower case)
      • Name format: Unspecified
      • Value: Enter user.login
    • Name parameter:
      • Name: name (important: all lower case)
      • Name format: Unspecified
      • Value: Enter user.firstName + " " + user.lastName
    • Email parameter:
      • Name: email (important: all lower case)
      • Name format: Unspecified
      • Value: Enter user.email
  • On the last wizard page, Feedback:
    • Select I'm an Okta customer adding an internal app
    • Click Finish to save the new app integration
We will now look up the details for the integration in Okta that we will need to enter in Testmo. From the Sign On page, click View Setup Instructions. You will need to copy the following settings to configure the integration in Testmo next (see below):
  • Identity Provider Single Sign-On URL: This will be the SAML single sign-on URL in Testmo
  • Identity Provider Issuer: This will be the SAML entity ID in Testmo
  • X.509 Certificate: This will be the SAML public certificate (X509) in Testmo
Now you need to assign which Okta users can use the integration. It is disabled for all your users by default. From the applications overview page in Okta, from the Assignments tab, select the groups (e.g. Everyone) and/or users that should be able to login to Testmo with Okta.
We continue with the configuration in Testmo. In Testmo, go to Admin > Authentication. In the External section, click + Login method. Then enter these details in the Add login method dialog:
  • Name: The name of the login method. This is the name displayed on the login page to choose a login method for users. You could call it Okta, for example.
  • Provider: Select Okta (SAML)
  • SAML entity ID: Copy the above Identity Provider Issuer from Okta here
  • SAML single sign-on URL: Copy the above Identity Provider Single Sign-On URL from Okta here
  • SAML public certificate (X509): Copy the above Certificate from Okta here
  • SAML claims
    • ID claim: Leave default value of id
    • Name claim: Leave default value of name
    • Email claim: Leave default value of email
  • Save the new integration
Important: You now need to update the integration in Okta and update the address to include the newly added integration ID from Testmo. First look up the ID of the login method in Testmo. Next to the name of the added Okta login method (under Admin > Authentication) hover your mouse cursor over the info icon. Note the ID shown in the tooltip.
Now in Okta, on the General tab in the SAML Settings section, click Edit. In the configuration wizard, on the second wizard page (Configure SAML), update the Single sign on URL using this format (adding the above ID):
1
https://<yourname>.testmo.net/auth/saml/login/<ID>
Copied!
Restricting Okta to certain user groups
Testmo supports restricting specific login methods to certain user groups. For example, you can configure one login method to support only a specific user group, while another login method can be used by all users etc. Learn more about authentication login rules.
Auto-provisioning new users
You can optionally also auto-provision new users. So if a user logs in for the first time and you enable auto-provisioning, Testmo automatically creates a Testmo account for the user. Learn more about auto-provisioning.

Adding application bookmark to Okta (optional)

Remember when we selected to not display the Testmo application integration to users in Okta? The reason for this is that Testmo doesn't enable IdP-initiated SAML flows for security reasons. So instead of including a link to the SAML flow in Okta, Okta recommends adding a simple bookmark to Testmo's login page. You can learn more about adding such a bookmark here:
For the bookmark you would simply enter your Testmo web address so users can access the login page.

Logging in to Testmo with Okta

When multiple login methods are configured in Testmo, users can choose a login method from Testmo's login page. The internal Testmo login is also always available. Depending on the authentication login rules you configure, some login methods might only be allowed for certain user groups.
The internal Testmo login method is always enabled at least for Testmo admin users. This way admin users can always log in to Testmo, even if an external authentication system is having issues.
Example login page with multiple login methods configured

Disabling the integration

You can disable the Okta integration at any time. To do so, we recommend disabling or removing the integration both in Testmo and in Okta:
  • In Testmo, go to Admin > Authentication and either disable or remove the login method. Make sure that another login method is configured for the users who previously logged in with Okta and notify the users about the change.
  • In Okta, delete the configured Testmo application.