Single sign-on (SSO) is an authentication feature that gives users an ability to access multiple systems or applications with a single ID or set of credentials. Once user is logged in, there's no need to repeatedly provide credentials for every connected system.
Zebrunner supports Security Assertion Markup Language 2.0 (SAML 2.0) specification with Service Provider initiated flow. This allows you to enable access to Zebrunner for all or some of your organization employees. This guide explains how to connect Zebrunner to your organizational Identity Provider (IdP).
Assistance from your organization's IT administrators may be needed in order to set up the SAML SSO, since there are a lot of different IdPs available, and it is simply not possible to cover all of them in this guide.
This guide only covers configuration steps that need to be completed on Zebrunner end.
To configure the SSO, click on the settings icon in the header and click on Single Sign-On residing in Access management section of the settings. Next, click on the Add SAML Identity Provider button.
Configuration of an IdP requires providing some information about the IdP server (more on this below). After filling in all the required fields, you need to click Save button at the bottom of the page.
First, you need to provide a Provider Name and, optionally, a Provider Logo. This name and logo will be displayed to users on the login form. Also, you can control if the IdP is displayed on the login form using the Visible toggle. This toggle is placed next to the Provider Name input.
Identity Provider information#
Now you need to provide information about the IdP server. There are 3 options for this:
- Provide SSO URL, Entity Id of the IdP and verification Certificate.
- Provide XML file with IdP metadata. Valid metadata file contains information mentioned in #1. Zebrunner will parse content of this file and extract the required information. After following this option and saving the IdP config, fields of #1 will be filled in with data extracted from the metadata file.
- Provide link to XML file with IdP metadata. This link must be reachable from the Internet. With this option, Zebrunner will fetch the XML file, parse it's content and extract the required information. After following this option and saving the IdP config, fields of #1 and #2 will be filled in with the fetched data.
Where do I get this information?
Actual values/info for configuration options, described above, can be obtained from Identity Provider you use with the help of your organization's IT department. This information is typically provided in scope of new app connection to the IdP.
Advanced access management#
Zebrunner allows you to have better control over authorization rules for Zebrunner users within your organization. It is possible to control access to Zebrunner of each particular employee and configure what Zebrunner user group he or she belongs to.
To enable the IdP-side access management, you need to turn on the Org users access management toggle. If enabled, Zebrunner will expect two extra attributes in SAML assertions:
Zebrunner.Access- true | false. Defines if user will be able to login to Zebrunner via SSO using organizational profile
Zebrunner.Groups- comma-separated list of Zebrunner groups that user should be part of. If not provided - default group ("Users") will be assigned
Service Provider information#
Every saved IdP has a section with Service Provider (SP) app attribures at the bottom of the page - Service Provider data.
This information is needed on your organization's IdP end in order to complete the new app connection. Those attributes are SP ACS URL, SP Entity ID and Certificate (for signature verification).
Logging in to Zebrunner#
Once SSO is configured (and made visible), users should be able to see corresponding login option(s).
On the screenshot above you can see how login form looks like with configured Okta IdP.
Click on any of the available IdPs will initiate the authentication process. If everything is configured correctly and the user is successfully authenticated, access to Zebrunner will be granted.
To alter configred SSO option, click on the settings icon in the header, click on Single Sign-On residing in Access management section of the settings, and select the desired IdP from the list at left side of the page.
It is allowed to edit all the fields, except for the Provider name.
To save changes, click Save button at the bottom of the page.