SAML Overview
This plugin allows you to configure a connection with a SAML provider.
Integration with SAML will allow you to log in to ReportPortal using SSO instead of tedious manual user creation.
The plugin provides a mechanism for exchanging information between ReportPortal and the SAML provider, such as the possibility of logging in to ReportPortal with SAML credentials.
User JIT provisioning
If you have a pre-created Internal user, you can't login by SAML using their credentials (Email or Name).
Just-in-time (JIT) provisioning is a feature that creates a user account in ReportPortal when a user logs in for the first time. This feature is available for SAML integrations.
However, you can't provision a user from SAML Provider to ReportPortal if you
already have a pre-created internal user in ReportPortal with the same email
and different login. The login must be the email name without the domain part.
For instance, if the email is john_weak@babayaga.com
the login should be
john_weak
.
In the opposite case, the user cannot log in to ReportPortal.
You can fix it by changing the login name or email or deleting the user from
the ReportPortal.
SAML provider requirements
There are detailed manuals for the configuration of Azure SAML and Okta SAML.
- SAML 2.0 version
- HTTP-POST Binding
- URL to download SAML IdP Metadata
- HTTPS connection for SAML Metadata
- Support SAML attributes:
- first name
- last name
- full name (instead of first and last name)
Add integration
ReportPortal contains the SAML Plugin by default.
- Go to
Administration
->Plugins
->SAML
- Select
Add integration
.
Set up connection
Identity provider configuration
ReportPortal Assertion Consumer Service URL (ACS URL)
You have to provide a URL for a SAML provider to deliver SAML data to the identity federation.
https://<host>/uat/saml/sp/SSO/alias/report-portal-sp
Identifier
Set up identifier (aka Audience Restriction, aka Entity ID) for application as
report.portal.sp.id
.
When you deploy the authorization service, you can specify your entity ID using
the environment variable RP_AUTH_SAML_ENTITYID
.
Custom attributes
The IDp app user profile must provide attributes like this:
- user.email
- user.firstName
- user.lastName
Also, Make sure there is a mapping created according to the values that you use in the ReportPortal SAML plugin like this:
- user.email -> Email
- user.firstName -> FirstName
- user.lastName -> LastName
Service provider initial URL (SP-Initiated SSO)
Some Identity Providers can request a URL for the initial login page. You can provide the URL to the ReportPortal login page.
https://<host>/ui/#login
ReportPortal configuration
Identity provider name ID (Optional)
Identity provider name ID (aka name identifier formats) controls how the users at identity providers are mapped to users at service providers.
We support the following formats:
UNSPECIFIED
- used by default
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
EMAIL
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Provider name - Provider name associated with IDP.
Metadata URL - URL that provides data with information about SAML Provider.
Email - Attribute name from SAML metadata which contains an user email.
<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">neuromancer@cyberspace.net</saml:AttributeValue>
</saml:Attribute>
ReportPortal Callback URL - This field provides a redirect base path.
Once you submit an integration with the "RP callback URL," the URL will be applied to all SAML integrations.
https://<host>/uat
First name - Attribute name from SAML metadata which contains an user first/given name.
<saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">William</saml:AttributeValue>
</saml:Attribute>
Last name - Attribute name from SAML metadata which contains an user last/family name.
<saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Gibson</saml:AttributeValue>
</saml:Attribute>
Full name - Attribute name from SAML metadata which contains a full user name. You can use either two separate attributes for first name and last name or a combined first and last name attribute. This solely depends on your SAML provider.
<saml:Attribute Name="FullName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">William Gibson</saml:AttributeValue>
</saml:Attribute>