TestOps logo
Try TestOps

Authentication via SAML 2.0

Allure TestOps supports only SAML version 2.0.

This type of authentication is supported only in server version of Allure TestOps.

SAML is an open standard for exchanging authentication data between an authentication server (called an identity provider, or IdP) and the main application (called a service provider, or SP). If you configure SAML authentication for Allure TestOps, users can sign in to Allure TestOps using accounts they already have in the IdP.

How it works

SAML is based on communication between a service (in this case, Allure TestOps) and IdP (such as Okta or Keycloak) by way of HTTP redirects:

  1. A user attempts to access an Allure TestOps page.
  2. If the user is not authenticated, Allure TestOps prompts to sign in using SAML. To do this, the user clicks the button with the name of the IdP.
  3. When the user clicks the button, Allure TestOps creates a SAML request and redirects the user’s browser with that information to the IdP page.
  4. The user enters their credentials on the IdP page.
  5. The IdP creates a SAML assertion that contains all the information Allure TestOps needs to authenticate the user, and redirects the browser with that information back to Allure TestOps.
  6. Allure TestOps authenticates the user using the information from the SAML assertion.

SAML can also be used without SAML requests. For example, a user can first sign in on the IdP page and then click a button that will redirect the browser to Allure TestOps.

Configuration

Edit the parameters in the values.yaml file:

  • general parameters:

    • network.tls.enabled — must be true;
    • auth.primary — must be saml2.

  • IdP connection:

    • auth.saml.enabled — must be true;
    • auth.saml.id — name of the IdP. This name will be used in URLs and displayed on the sign-in button. Do not use whitespace and special characters;
    • auth.saml.entityIdhttps://<domain>/api/login/saml2/authenticate/{registrationId}, where <domain> is the domain name of your Allure TestOps instance;
    • auth.saml.acsUrlhttps://<domain>/api/login/saml2/sso/{registrationId}, where <domain> is the domain name of your Allure TestOps instance;
    • auth.saml.identityProviderMetadataUri — URL to the metadata.xml file on the IdP server.

  • SAML attribute names:

    • auth.saml.firstNameAttribute — name of the attribute containing the first name of a user;
    • auth.saml.lastNameAttribute — name of the attribute containing the last name of a user;
    • auth.saml.emailAttribute — name of the attribute containing the email address of a user;
    • auth.saml.groups.groupRoleAttribute — name of the attribute containing the names of the groups a user is a member of.

  • group mapping:

    • auth.saml.syncRoles — if true, Allure TestOps will assign user roles according to group information from IdP;

    • auth.saml.groups.roleUserGroups — comma-separated list of IdP groups that correspond to the “User” role in Allure TestOps;

    • auth.saml.groups.roleAdminGroups — comma-separated list of IdP groups that correspond to the “Admin” role in Allure TestOps;

    • auth.defaultRole — default role for a new user.

      Allowed values: ROLE_ADMIN, ROLE_USER, ROLE_GUEST.

      If auth.saml.syncRoles is true, the value must be ROLE_GUEST.

Edit the parameters in the .env file:

  • general parameters:

    • TESTOPS_PROTO — must be https;
    • TESTOPS_SECURE_COOKIE — must be true;
    • ALLURE_LOGIN_PRIMARY — must be saml.

  • IdP connection:

    • LOGIN_SAML2_ENABLED — must be true;
    • LOGIN_SAML2_ID — name of the IdP. This name will be used in URLs and displayed on the sign-in button. Do not use whitespace and special characters;
    • LOGIN_SAML2_ENTITY_IDhttps://<domain>/api/login/saml2/authenticate/{registrationId}, where <domain> is the domain name of your Allure TestOps instance;
    • LOGIN_SAML2_ACS_URLhttps://<domain>/api/login/saml2/sso/{registrationId}, where <domain> is the domain name of your Allure TestOps instance;
    • LOGIN_SAML2_METADATA_URL — URL to the metadata.xml file on the IdP server.

  • SAML attribute names:

    • LOGIN_SAML2_FIRSTNAMEATTRIBUTE — name of the attribute containing the first name of a user;
    • LOGIN_SAML2_LASTNAMEATTRIBUTE — name of the attribute containing the last name of a user;
    • LOGIN_SAML2_EMAILATTRIBUTE — name of the attribute containing the email address of a user;
    • LOGIN_SAML2_GROUPROLEATTRIBUTE — name of the attribute containing the names of the groups a user is a member of.

  • group mapping:

    • LOGIN_SAML2_SYNCROLES — if true, Allure TestOps will assign user roles according to group information from IdP;

    • LOGIN_SAML2_GROUPAUTHORITIES_ROLEUSERGROUPS — comma-separated list of IdP groups that correspond to the “User” role in Allure TestOps;

    • LOGIN_SAML2_GROUPAUTHORITIES_ROLEADMINGROUPS — comma-separated list of IdP groups that correspond to the “Admin” role in Allure TestOps;

    • REGISTRATION_DEFAULT_ROLE — default role for a new user.

      Allowed values: ROLE_ADMIN, ROLE_USER, ROLE_GUEST.

      If LOGIN_SAML2_SYNCROLES is true, the value must be ROLE_GUEST.

Edit the parameters in the /opt/testops/conf/testops.conf file:

  • general parameters:

    • ALLURE_SECURE — must be true;
    • ALLURE_LOGIN_PRIMARY — must be saml2.

  • IdP connection:

    • ALLURE_LOGIN_SAML2_ENABLED — must be true;
    • ALLURE_LOGIN_SAML2_ID — name of the IdP. This name will be used in URLs and displayed on the sign-in button. Do not use whitespace and special characters;
    • ALLURE_LOGIN_SAML2_ENTITY_IDhttps://<domain>/api/login/saml2/authenticate/{registrationId}, where <domain> is the domain name of your Allure TestOps instance;
    • ALLURE_LOGIN_SAML2_ACS_URLhttps://<domain>/api/login/saml2/sso/{registrationId}, where <domain> is the domain name of your Allure TestOps instance;
    • ALLURE_LOGIN_SAML2_METADATA_URL — URL to the metadata.xml file on the IdP server.

  • SAML attribute names:

    • ALLURE_LOGIN_SAML2_FIRSTNAMEATTRIBUTE — name of the attribute containing the first name of a user;
    • ALLURE_LOGIN_SAML2_LASTNAMEATTRIBUTE — name of the attribute containing the last name of a user;
    • ALLURE_LOGIN_SAML2_EMAILATTRIBUTE — name of the attribute containing the email address of a user;
    • ALLURE_LOGIN_SAML2_GROUPROLEATTRIBUTE — name of the attribute containing the names of the groups a user is a member of.

  • group mapping:

    • ALLURE_LOGIN_SAML2_SYNCROLES — if true, Allure TestOps will assign user roles according to group information from IdP;

    • ALLURE_LOGIN_SAML2_GROUPAUTHORITIES_ROLEUSERGROUPS — comma-separated list of IdP groups that correspond to the “User” role in Allure TestOps;

    • ALLURE_LOGIN_SAML2_GROUPAUTHORITIES_ROLEADMINGROUPS — comma-separated list of IdP groups that correspond to the “Admin” role in Allure TestOps;

    • ALLURE_LOGIN_SAML2_DEFAULTROLE — default role for a new user.

      Allowed values: ROLE_ADMIN, ROLE_USER, ROLE_GUEST.

      If ALLURE_LOGIN_SAML2_SYNCROLES is true, the value must be ROLE_GUEST.

Examples

network:
  ...
  tls:
    enabled: true

auth:
  primary: saml2
  defaultRole: ROLE_GUEST
  saml:
    enabled: true
    id: "testsaml"
    entityId: https://<your Allure TestOps domain>/api/login/saml2/authenticate/{registrationId}
    acsUrl: https://<your Allure TestOps domain>/api/login/saml2/sso/{registrationId}
    identityProviderMetadataUri: https://path/to/metadata.xml
    syncRoles: false
    firstNameAttribute: firstNameAttribute
    lastNameAttribute: lastNameAttribute
    emailAttribute: emailAttribute
    groups:
      groupRoleAttribute: groupRoleAttribute
      roleUserGroups: testops_users
      roleAdminGroups: testops_admins

TESTOPS_PROTO=https
TESTOPS_SECURE_COOKIE=true
ALLURE_LOGIN_PRIMARY=saml
REGISTRATION_DEFAULT_ROLE=ROLE_GUEST
LOGIN_SAML2_ENABLED=true
LOGIN_SAML2_ID=Keycloak
LOGIN_SAML2_ACS_URL=https://<your Allure TestOps domain>/api/login/saml2/sso/{registrationId}
LOGIN_SAML2_ENTITY_ID=https://<your Allure TestOps domain>/api/login/saml2/authenticate/{registrationId}
LOGIN_SAML2_METADATA_URL=https://path/to/metadata.xml
LOGIN_SAML2_FIRSTNAMEATTRIBUTE=firstNameAttribute
LOGIN_SAML2_LASTNAMEATTRIBUTE=lastNameAttribute
LOGIN_SAML2_EMAILATTRIBUTE=emailAttribute
LOGIN_SAML2_SYNCROLES=false
LOGIN_SAML2_GROUPROLEATTRIBUTE=groupRoleAttribute
LOGIN_SAML2_GROUPAUTHORITIES_ROLEUSERGROUPS=testops_users
LOGIN_SAML2_GROUPAUTHORITIES_ROLEADMINGROUPS=testops_admins

ALLURE_SECURE=true
ALLURE_LOGIN_PRIMARY=saml2
ALLURE_LOGIN_SAML2_ENABLED=true
ALLURE_LOGIN_SAML2_ID=google
ALLURE_LOGIN_SAML2_ACS_URL=https://<your Allure TestOps domain>/api/login/saml2/sso/{registrationId}
ALLURE_LOGIN_SAML2_ENTITY_ID=https://<your Allure TestOps domain>/api/login/saml2/authenticate/{registrationId}
ALLURE_LOGIN_SAML2_METADATA_URL=https://path/to/metadata.xml
ALLURE_LOGIN_SAML2_DEFAULTROLE=ROLE_GUEST
ALLURE_LOGIN_SAML2_FIRSTNAMEATTRIBUTE=firstNameAttribute
ALLURE_LOGIN_SAML2_LASTNAMEATTRIBUTE=lastNameAttribute
ALLURE_LOGIN_SAML2_EMAILATTRIBUTE=emailAttribute
ALLURE_LOGIN_SAML2_SYNCROLES=false
ALLURE_LOGIN_SAML2_GROUPROLEATTRIBUTE=groupRoleAttribute
ALLURE_LOGIN_SAML2_GROUPAUTHORITIES_ROLEUSERGROUPS=testops_users
ALLURE_LOGIN_SAML2_GROUPAUTHORITIES_ROLEADMINGROUPS=testops_admins

Using SAML together with standard authentication

Typically, when a company configures a SAML authentication for Allure TestOps, the SAML IdP is considered the primary source of user account data, and SAML is set as the primary authentication method. However, there may be cases where you need to use local authentication, such as when signing in as the instance administrator. For these cases, Allure TestOps allows system authentication when SAML is set as the primary authentication method:

  • The /login page uses the authentication method defined as primary in the settings. In this case, it is SAML.
  • The /login/system page always uses system authentication.

To sign in as the instance administrator, go to https://<URL>/login/system and use the credentials of a local user.

© Qameta Software Inc. All rights reserved.