Skip to main content

OpenID Connect

Testiny can be configured to use any provider supporting the OpenID Connect protocol as your identity provider for single sign-on (SSO). Testiny supports configuring both SSO and email login or restricting logins by requiring SSO logins. This guide explains how to configure any provider supporting the OpenID Connect protocol.

Paid feature

This feature is only available in the enterprise plan. Please contact us at [email protected] for more information.

Configuring SSO

To configure SSO, you first need to create an integration in your SSO provider and then configure SSO in Testiny.

Configuration with OpenID Connect

In your SSO provider, you need to create an integration or configure the OpenID Connect settings with the following specifications/guidelines:

  • If offered by your SSO provider, choose the configuration for "web applications".
  • The redirect URLs for Testiny are the following:
    https://app.testiny.io/api/v1/oauth/redirect
    https://app.testiny.io/api/v1/auth/logout
  • Configure to use authorization code flow with PKCE.
  • Required OAuth2 scopes:
    • openid
    • email
    • profile
    • offline_access (optional for refresh tokens)
  • Refresh tokens (optinal)
  • Signed ID tokens with RS256/ES256
  • Should allow login_hint=none

If you would like to use Testiny's logo for the configuration, you can download the Testiny logo here.

Configuration in Testiny

To configure SSO, you need to have admin rights in Testiny. In Testiny, go to the settings and select Organization (1), as shown in the screenshot below. Click on 'Configure single sign-on' (2). A side panel (3) opens where you need to define the following options:

  1. Provider — Choose 'OpenID Connect' from the list to configure SSO with any provider supporting OpenId Connect
  2. OpenID Configuration — Specify the URL to the OpenID Connect metadata. The metadata is usually published to a URL that looks like the following example:
    https://((customdomain))/((prefix:s))/.well-known/openid-configurationn
    Usually, you can copy & paste this URL from your SSO provider or follow their documentation on how to create this URL.
  3. SSO Domains — Enter the domains that will be able to use single sign-on
    3.1 If you have already invited users from these domains to your Testiny organization, an option will show up to change the login type of these users. By default, the users' login type will be set to "SSO allowed".
  4. Client ID — Enter the client ID of the client created in your SSO provider
  5. Client Secret — Enter the client secret of the client created in your SSO provider
  6. Click on "Save". Once SSO is successfully configured, you can invite SSO users to your organization or update existing users to use SSO login in the user management settings.

Testiny SSO Configuration Steps

To invite users to your organization, navigate to Settings > User management and click the "Invite" button in the top left corner. A side panel will appear, where you can choose whether the SSO login is allowed, required or disabled:

  • allowed — the user can log in via SSO, but can also create a password in Testiny and use the email login
  • required — the user must log in via SSO
  • disabled — the user cannot log in via SSO, only with email login

Then, enter the email address of the user to be added and optionally the first and last name. In the "Role" drop-down, you can adjust the user’s permissions. Learn more about the user management in Testiny.

Logging into Testiny

When SSO is configured in your Testiny organization and the user is invited as an SSO user, they can simply log in to Testiny on the login page. When SSO is required, the user can only log in with SSO. If SSO is allowed but not required, the user might also log in via email and password.

note

Please note that the owner of the organization in Testiny cannot be restricted to require SSO login so that the owner can always log in with email & password.

Disabling SSO

To disable SSO, go to Settings > Organization and click the delete icon next to the configured provider. A dialog will be shown to see which users are affected and cannot log in via SSO anymore. After confirming, SSO is disabled and you continue using email/password login or set up a new SSO provider.

Changing your SSO provider

If you want to modify your SSO configuration or change to another SSO provider, simply click the "Configure sinlge sign-on" button to open the configuration side panel. You can change the SSO provider and set up a new SSO configuration, or add new SSO domains to your current configuration. If you remove an SSO domain, single sign-on may be deactivated for users in this SSO domain.