TestRail lets you integrate with your preferred SSO identity provider (IDP) using SAML 2.0, OAuth 2.0, and OpenID Connect protocols. Once you enable the SSO configuration, you can choose your preferred protocol.
This guide specifically helps you with the Okta protocol configuration. Follow these instructions first for the Okta web application registration:
- Sign in to your Okta organization with your administrator account.
- In the Admin Console, go to Applications > Applications. (It can be found on the left panel.)
- Click Create App Integration.
- Create a new app integration:
- Sign-on method: Select OIDC – OpenID Connect.
- Application type: Select Web Application.
- Click Next. You have your Application registered and redirected to configure the application details.
- New Web App Integration:
- App integration name: Enter a name for your new app integration.
- Grant type: Authorization Code should be selected (this provides maximum security).
-
Sign-in redirect URLs (Should not be left empty) – Here we need to add the redirect URL for the redirection after authorization. This should be the same as mentioned in the SSO settings page of the OAuth and OpenID. You can find the redirect URL from the SSO configuration page under the Label “Single Sign On URL”.
Example: http://${domain}/testrail/index.php?/auth/redirect_oidc_acs - Sign-out redirect URL (Optional): https://{domain}/index.php
- Add any other additional information and click Save.
- To get the client credentials for your app integration:
- On the General tab, copy the Client ID from the Client Credentials section.
- Copy the Client secret from the Client Credentials section.
- Copy the Okta domain from the General Settings section.
- Enable Consent Screen in Okta:
- Go to Security -> API -> from the left panel.
- Click on Default.
- Go to the Scopes tab.
- Edit OpenID: User consent – Mark as checked and save.
- Edit Profile and email: User consent – Mark as checked and save.
Configuring SSO in Okta – OpenID Connect
- Login to TestRail as an administrator.
- Go to Administration -> Site Settings -> SSO.
- Select Your Authentication Protocol: OpenID Connect.
- Single Sign On URL: Prefilled with values that will be used to set the redirect URL during the new registration of the application.
- Log in to your Okta account and access your application to get the information on the next steps.
- Back on TestRail, for Client ID: Copy the Application (client) ID from the Client Credentials section of the Okta General tab and paste it into this space.
- Client Secret: Copy the client secret Value from the Client Credentials section of the Okta General tab and paste it into this space.
- IDP Issuer URL: Copy the Okta domain from the Okta General Settings section and fill in this URL https://${yourOktaDomain}/oauth2/default/
- Create Account on First Login: Enable this setting to specify if TestRail should automatically create new user accounts in TestRail if a user could be successfully authenticated.
- Whitelist Domains: Restricting new account creation to certain email domains can be used to prevent requests from unauthorized organizations. Simply enter one domain per line. (If Whitelist Domain is empty, all are allowed by default).
- Click Save Settings.
- Check the additional configuration settings below
Configuring SSO in Okta – OAuth 2.0
- Login to TestRail as an administrator.
- Go to Administration -> Site Settings -> SSO.
- Select Your Authentication Protocol: Oauth 2.0.
- Single Sign On URL: Prefilled with values that will be used to set the redirect URL during the new registration of the application.
- Log in to your Okta account and access your application to get the information on the next steps.
- Back on TestRail, for Client ID: Copy the Application (client) ID from the Client Credentials section in the Okta General tab and paste it into this space.
- Client Secret: Copy the client secret Value from the Client Credentials section in the Okta General tab and paste it into this space.
- User Authorization URL: Copy the Okta domain from the General Settings section in the Okta General tab and fill in this URL https://${yourOktaDomain}/oauth2/default/v1/authorize
- Access Token URL: Copy the Okta domain from the General Settings section in the Okta General tab and fill in this URL https://${yourOktaDomain}/oauth2/default/v1/token
- User Info URL: Copy the Okta domain from the General Settings section, in the Okta General tab and fill in this URL https://${yourOktaDomain}/oauth2/default/v1/userinfo
- Create Account on First Login: Enable this setting to specify if TestRail should automatically create new user accounts in TestRail if a user could be successfully authenticated.
- Whitelist Domains: Restricting new account creation to certain email domains can be used to prevent requests from unauthorized organizations. Simply enter one domain per line. (If Whitelist Domain is empty, all are allowed by default).
- Click Save Settings.
- Check the additional configuration settings below
Additional Steps Configuring SSO in Okta – for OpenID Connect and OAuth 2.0 protocols ONLY
As published by Okta in their article, the following addiitonal steps must also be configured for instances using OpenID and OAuth protocols:
- Open admin OKTA portal
- Open Security → API page and on Authorization Servers tab click Edit button near your authorization server
- In the opened page go to Access Policies tab and click Add Policy button
- Populate Name, Description fields and click Create Policy
- In the newly created policy click Add Rule button
- In the appeared dialog populate Rule Name field, other settings can be left as is or changed as needed then click Create Rule.
Configuring SSO in Okta – SAML 2.0
- In Okta, log in as an administrator and navigate to the Admin > Applications area.
- Click the Add Application button.
- Click the Create New App button, select SAML 2.0, and then confirm by clicking the Create button.
- Give the app a name (e.g. TestRail) and upload a logo if you desire.
- Click the Next button.
- Login to TestRail and navigate to the SSO page in the Administration > Settings console.
- Copy the Entity ID from the TestRail SSO configuration page and paste it into the Okta Audience URL (SP Entity ID) field.
- Copy the Single Sign On URL from the TestRail SSO configuration page and paste it into the Okta Single sign-on URL field.
- Leave the Use this for Recipient URL and Destination URL checkbox checked in Okta.
- The Name ID format and Application Username fields can be ignored.
- Set the Attribute Statements in Okta to the following:
Attribute Name Attribute Value FirstName user.firstName LastName user.lastName Email user.email The values above are case-sensitive.
- Click the Next button in Okta and fill out the questionnaire or other remaining fields as required.
- Once done, or on the Sign On tab in Okta, click the View Setup Instructions button to display the required URLs and certificate for TestRail.
- Copy and paste the Identity Provider Single Sign-On URL and Identity Provider Issuer URL from Okta and paste them into the TestRail IDP SSO URL and IDP Issuer URL fields respectively.
- Copy and paste (or download and then upload) the X.509 Certificate from Okta into TestRail.
- Click Save. Test your connection to verify the settings.
- So long as the administrator you are using to configure the settings in TestRail is assigned to the app you created in Okta, the connection test should succeed and you are now ready to use TestRail in Single Sign-On (SSO) mode.