This document is a guide for how to set up a SAML 2.0 based single-sign for your hosted Meliora Testlab installation. Hosted means that you are using Meliora Testlab from the cloud – not from your own installation on-premises.
For Meliora Testlab on-premises, you should consult this documentation.
SAML 2.0 (Security Assertion Markup Language) is version of the SAML standard for exchanging authentication and authorization data between security domains. Meliora Testlab implements the Web Browser SSO Profile of the SAML standard which makes it possible to federate identity from your own user directory to Testlab in a single sign-on fashion. For example, if your organization has Active Directory hosting all your users set up with SSO federation services (ADFS), you can automatically log on your identified users to Testlab without needing to enter credentials on every login.
A simplified diagram on authentication flow is described in the following diagram:
All unauthenticated users are redirected to the configured Identity Provider for authentication. When the user authenticates successfully (for example with hers/his user name and password), the user’s browser is redirected back to Testlab and the user is allowed access.
The protocol itself is more complicated with signed assertion messages passed between IdP and Service Provider, but the important thing to note is that the user credentials never leave the customer’s network. The trust between systems is achieved by configuring the certificates/keys as shared secrets which can be used to verify that the assertion messages are valid.
To set up SAML 2.0 based SSO, you should
The basic steps for setting up the SSO are
As an example, we will give you an example on how to set up single sign-on and authentication via a Microsoft Active Directory federated identity.
Step 1: Export the token signing key
The token signing key is exported to a file “mytokensigningkey.cer”.
Step 2: Export federation metadata XML file
The federation metadata should be saved to FederationMetadata.xml file.
Step 3: Contact Meliora support and request a SSO set up
Open a support ticket for your Testlab and request a SAML 2 SSO set up. To the ticket, please include
Via the ticket, we will provide you with the federation metadata file we have set up for your Testlab.
Step 4: Configure trust to your ADFS
To set up the trust to your ADFS do the following.
Step 5: Configure claims to your ADFS
To set up claims (= the information that is passed to Testlab) in ADFS, do the following:
This will add a rule that sends the name of your account as the identifying user ID to Testlab when authenticating. If this is not what you want and you would for example want to send the E-mail address of the user as the user ID, choose “E-Mail-Addresses” as LDAP Attribute instead of “SAM-Account-Name”. In this example we assume that the account names in AD will be the ones mapped as user IDs in your Testlab.
This will add an additional rule that will send the e-mail address and the full name of the user to Testlab.
After you’ve set up the claims, you should have the following claims set up:
Step 6: Finalize configuration and test the SSO
When you’ve set up the trust and claims to your ADFS, reply to the support ticket and request that we enable the SSO for you. On agreed time, we will enable the SSO for you which means you cannot access your Testlab anymore with the credentials from the internal user database of Testlab.
On testing the setup:
The implementation conforms to the Web Browser SSO Profile of SAML 2.0 standard. We advocate the use of SHA-256 as the hashing algorithm.
The following claims should be mapped from the IdP to be sent for the integration to work:
|Claim type||Testlab attribute||Mandatory|
|http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress||E-mail address of the user||No|
|http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name||Full name of the user||No|
The NameID is always used to identify the user in Testlab. It must match the ID of the user in Testlab.
E-mail address and the full name of the user are only used when the user logs on to Testlab for the first time. When this happens the user is presented with an option to register a new user account in your Testlab. The e-mail address and the full name are pre-filled from the federated identity.