Setting Up SSO For Plutora Test

Plutora Test supports the following ‘flavors’ of SSO:

  1. SAML.
  2. WS-Federation Services.
  3. WS-Federation Services with SAML.

Set up procedures for all three flavors can be found below.

First, check what kind of SSO you are using.

Plutora and Plutora Test now both support SSO. Logging in or out of Plutora will also log the user in or out of Plutora Test. While logging out, do not close the browser window until the logging out process is complete.   

 

The minimum requirements to activate SSO are the Use SAML Request toggle switch and the SSO Login URL.

Administrators should use the Login Settings Customization to redirect users to the SSO login page every time they log in.

  1. Click Settings.
  2. Click the Authentication tab.
  3. Click to enable the Enable SSO Login toggle switch to make the SSO Login link appear under the Plutora Test login form.
  4. Click to select the following as required:
    Do not select the Auto redirect to SSO login page checkbox until you have confirmed that the connection is working. If the connection is not working, go directly YourCompanyName.plutoratest.com/login to login.

    1. Auto redirect to SSO login page:
      • Click to select the checkbox to bypass the Plutora Test login page and always redirect the user to the SSO Login URL.
      • If Auto redirect to SSO login page is selected but the Logout URL is not set, when users log out of Plutora or Plutora Test, they will be immediately logged back in again.
    2. Use SAML Request: Click to enable the toggle switch.
      • If the Auto redirect to SSO login page toggle switch is not enabled, but Use SAML Request toggle switch is enabled, users will be directed to the Plutora Test login page, where they can click the SSO Login link.
      • If the Use SAML Request toggle switch is unselected, the system will attempt to log in via a pre-configured WS-Federation module.
    3. Combined Issuer: Click to enable the toggle switch to enable SSO credentials for both Plutora and Plutora Test:
      • When enabled: the authentication request Issuer will be https://idp-{region}.plutora.com and the AssertionConsumingServiceUrl will be https://idp-{region}.plutora.com/api/Login/ExternalLoginResponse.
      • This will allow customers to use SSO with Plutora and Plutora Test, provided they have updated their SSO server settings.
      • When disabled: the authentication request Issuer will be based on which site is making the request – either https://{subdomain}.plutora.com or https://{subdomain}.plutoratest.com and the AssertionConsumingServiceUrl will also be based on which site is making the request – same as Issuer.
      • This will allow customers to continue to use SSO with Plutora without changing their SSO server settings.
      • If they add https://{subdomain}.plutoratest.com with the right settings to their SSO server, they will also be able to use Plutora Test (however this isn’t the intention. the intention is that they should enable the option and update their SSO server settings to handle the new Issuer above).
    4. Login URL: Type the URL that the user will be sent to when they log in via SSO.
    5. Sign Login Request: Click to select the checkbox:
      • If enabled, the authentication request to the SSO server will be signed with Plutora’s private key.
      • Customers should download the public certificate and use it on their SSO server to validate the signature in the login request.
      • If enabled, the authentication request will be made using a POST method, otherwise, it will be made using a GET method.
    6. Validate Login Response: Click to enable the toggle switch:
      • If enabled, upon receiving an authentication response from the customer’s SSO server, the Plutora Test authentication system will check the signature in the response and validate it using the “Response Validation Certificate” setting below.
      • If the response is not signed, the authentication will fail. If the response is signed but the signature is invalid, the authentication will fail.
        Validate Login Response checkbox should be selected. If left unselected, an unauthorized user could forge an authentication response and gain access.
    7. Logout URL: Type the URL that the user will be sent to after they log out as part of the single-logout process (which logs the user out of all the sessions authenticated by their SSO login):
      • This logout request must be processed at the SSO server and a Logout Response MUST be returned. See section 3.7 Single Logout Protocol:
      • If not provided, when a user logs out, they will only be logged out of Plutora and Plutora Test, and not all the sessions authenticated by their SSO login.
      • If provided, and not correctly configured at the SSO server, users will not be able to log out of Plutora and Plutora Test, as when they log out they will immediately be logged back in again.
    8. Sign Logout Request: Click to enable the toggle switch:
      • If enabled, the logout request to the SSO server will be signed with Plutora’s private key.
      • Customers should download the public certificate and use it on their SSO server to validate the signature of the logout request.
      • If enabled, the logout request will be made using a POST method, otherwise, it will be made using a GET method.
    9. Download the public certificate for signature verification on your SSO server: Click to download the certificate:
      • Plutora Test now has a full certificate embedded to be used for signing SSO authentification requests.
      • Download and load the public certificate and load it into your SSO system so you can validate the signature of the authentification requests.
    10. Validate Logout Response: Click to enable the toggle switch: 
      • If enabled, upon receiving a logout response from the customer’s SSO server, the Plutora authentication system will check the signature in the response and validate it using the “Response Validation Certificate” setting below.
      • If the response is not signed, or the response is signed but the signature is invalid, the authentication system will consider the log out to be “partially successful” as it cannot verify that the single logout competed.
      • Regardless of the verification, the user will be logged out of Plutora and Plutora Test.
    11. Response Validation Certificate: To upload a certificate:
      1. Click Upload.
      2. Click to select the certificate file:
        • Customers should upload the PUBLIC CERTIFICATE of their keystore. For example, see https://stackoverflow.com/questions/36133076/how-to-extract-certificate-from-p12-pfx-file-using-keytool-commands.
        • This certificate will be used to validate login and logout responses from the sso server if the corresponding settings are enabled.
        • In Plutora Test, some of the currently uploaded certificate information is shown. If it says “Private Key”, then the user has mistakenly uploaded their private key via Plutora and it has been compromised and should be replaced.
      3. Click Open.
      4. Type the password that was used when generating the certificate.
        If the certificate is public and doesn’t require a password, click OK without typing a password.
      5. Click OK.
        Once the certificate is uploaded, the message will change from There has not been a certificate uploaded yet to Certificate has been uploaded.
        Users who log into Plutora for the first time using SSO are granted access that depends on the Requestor User Role. Administrators must update their account to give them the access they need.

 

If you are using WS-Federation Services, please contact our Support Staff so they can create a configuration file.

To set up WS-Federation Services on Plutora Test, once the configuration file is created:

  1. Click Settings.
  2. Click the Authentication tab.
  3. Click to enable the Enable SSO Login toggle switch to make the SSO Login link appear on under the login form.
    Users who log into Plutora Test for the first time using SSO are granted access that depends on the Plutora Requestor User Role. Administrators must update their account to give them the access they need.  

 

If you are using WS-Federation Services, please contact our Support Staff so they can create a configuration file.

To set up WS-Federation Services on Plutora Test, once the configuration file is created:

  1. Click Settings.
  2. Click the Authentication tab.
  3. Click to enable the Enable SSO Login toggle switch to make the SSO Login link appear on under the login form.
  4. Click to select the Use SAML Request checkbox.
    Users who log into Plutora Test for the first time using SSO are granted access that depends on the Plutora Requestor User Role. Administrators must update their account to give them the access they need.  


Back to the top arrow

Was this article helpful?

0 found this helpful.