Configure identity provider

Prerequisite: Configure service provider.

This section describes how to configure an IdP by completing the Identity Provider Registration step.

Overview

Consider the following before configuring an IdP:

  • Make sure you first configure the default alm IdP.

  • Before adding other IdPs, make sure that the alm IdP is successfully validated, and that SSO is enabled. For details, see Validate identity provider and enable SSO.

  • After completing the Identity Provider Registration step for an IdP, the configuration file is saved in the following repository:

    {Repository}\sa\DomsInfo\osp\<idp name>.properties

Back to top

Basic properties

In the Identity Provider Registration > Basic Properties tab, complete the following configurations:

Field Description

Federation Protocol

Select the federation protocol (SAML2 or OIDC) that OpenText Application Quality Management uses to communicate with IdP.

The OIDC protocol requires that the server should establish network connections with the IdP.

Name ID Format

Available only when you select SAML2 as the federation protocol.

Name ID format supported by the IdP.

IDP Metadata Available

Available only when you select SAML2 as the federation protocol.

Whether or not the real IdP metadata is available to be shared with SP.

  • NO. Select NO if you have not obtained the IdP metadata yet. A temporary mock IdP metadata is provided to SP so that the system can start the service and load the SP metadata.

    After you obtain the real IdP metadata, change the value to YES, provide the metadata with a URL or XML text, and restart the server.

  • YES. Select YES if you have already obtained the IdP metadata. Provide the metadata with a URL or XML text.

IDP Metadata Provision Mode

Available only when you select YES in the IDP Metadata Available field.

  • Input Metadata URL. If you select this option, enter the IdP metadata URL.

    Select this option only when the IdP metadata URL can be accessed by the server.

  • Input/Upload Metadata Content. If you select this option, either manually enter the plain-text XML of the SAML metadata descriptor from the IdP, or click the upload icon to upload the metadata file.

    Select this option if the IdP metadata URL cannot be accessed from the server.

OpenID Issuer

OpenID Client ID

OpenID Client Secret

Available and required only when you select OIDC as the federation protocol.

Provide the issuer, client ID, and client secret. They are specified when you create a client that uses OIDC as the protocol in the IdP.

Limitation: We recommend you use a simple name for the OpenID client. Otherwise, SSO validation would fail.

Enable Single Sign Out

This option controls whether or not single sign-out is supported. If you change the value of this option after enabling SSO, restart the server to make your change take effect.

  • YES. The single-sign-out feature is enabled. When it is enabled, the following happens:

    • A link to single sign out is displayed in the bottom-right corner of the Application Lifecycle Management Options window. When an IdP user clicks the link, the user logs out from the IdP, and the window displays the session out message to close all the sessions.
    • When an IdP user clicks Close Project in Desktop Client, a window pops up to confirm whether the user wants to single sign out from the IdP or just wants to close the project. If the user clicks NO or X to close the confirmation window, the user just closes the project and remains active in the IdP session. If the user clicks YES, the session in both IdP and the client is closed, and the other connections for the same user, if any, keep running until their access tokens expire.
    • When an IdP user clicks Logout in Site Administration, the user logs out of the IdP, then Site Administration is closed automatically with all sessions cleared, and the other connections for the same user, if any, keep running until their access tokens expire.
  • NO. The single sign-out feature is disabled. When an IdP user logs out from a page, the user's session is still active in the IdP.

Note: Single sign-out is only supported for SAML, not supported for OIDC due to the limitations in OIDC.

Back to top

Attribute mapping

In the Identity Provider Registration > Attribute Mapping tab, map IdP user attributes to OpenText Application Quality Management user attributes.

Field Description

Identity Key

The Identity Key is a unique attribute used to differentiate between users and prevent the creation of duplicate user accounts, ensuring each user is uniquely identified based on this value.

Map the appropriate unique value, such as username and email, from your IdP to Identity Key.

ALM Username

The ALM Username attribute is the unique attribute that is used to login.

Map the appropriate unique attribute in the IdP to ALM Username.

ALM User Email

The ALM User Email stores user's email.

Map the appropriate email attribute of the IdP to ALM User Email.

ALM User Phone

The ALM User Phone stores user's phone number.

Map the appropriate IdP user attribute to ALM User Phone.

ALM User Full Name

The ALM User Full Name stores user's full name.

Map the appropriate IdP user attribute to ALM User Full Name.

ALM User Description

Map the appropriate IdP user attribute to ALMDescription.

Identity Key Case-sensitive

Controls whether the Identity Key provided by the IdP should be matched in a case-sensitive manner during the user authorization process.

  • Yes. Case-sensitive.
  • No. Case-insensitive.

Back to top

User auto provisioning

In the Identity Provider Registration > User Auto Provisioning tab, configure whether or not to enable auto user provisioning to update or create matching OpenText Application Quality Management users.

Field Description

User Info Auto Update

This option controls whether or not to automatically update the user attributes of matching OpenText Application Quality Management users with the mapped user attributes of IdP users.

The matching users are found based on the attributes you select in Attributes Used to Match Existing ALM Users.

  • If this switch is turned on, the matching users' information are automatically updated.

  • If this switch is turned off, the matching users' information are not automatically updated.

Attributes Used to Match Existing ALM Users

Available only when User Info Auto Update is turned on.

Select one or more ALM user attributes that are used to match IdP users with existing OpenText Application Quality Management users.

The only one matching user is found as follows:

  • The first selected attribute is used to find the matching user, if only one matching user is found, then the identity key and identity ID information is attached to the user.
  • If more than one matching user is found, then the system continues to filter the matching users using the second selected attribute, and the process goes on until only one matching user is found.
  • If the system fails to find only one matching user after filtering users by all the selected attributes, it checks whether to create new OpenText Application Quality Management users for IdP users, depending on the setting of User Auto Generation.
User Auto Generation

This option controls whether or not to automatically create OpenText Application Quality Management users based on the user attributes of IdP users.

Attribute Mapped to ALM Username

Available only when User Auto Generation is turned on.

Select one of the following attributes as the default username of a new OpenText Application Quality Management user:

  • IdentityKey. When creating a user, the IdentityKey value is used as the username.

  • ALMUsername. When creating a user, the ALMUsername value is used as the username.

  • ALMEmail. When creating a user, the ALMEmail value is used as the username.

Note: If the target string contains any special characters such as @, they are converted to a underscore (_) while creating usernames.

Default ALM Username Editable

Available only when User Auto Generation is enabled.

This option controls whether or not a new OpenText Application Quality Management user can change its default username during the user creation.

Send Notification

Available only when User Auto Generation is enabled.

This option controls whether or not to send email notifications to the related users in the following circumstances:

  • When new users are created during auto user provisioning, this option controls whether or not to send notification to the new users and the specified site admin users.
  • When an IdP user accesses the SSO validation URL to validate the IdP, this option controls whether or not to send notifications to the specified site admin users.
  • When the SSO certificate is about to expire, this option controls whether or not to send notifications to the specified site admin users.

Auto Provision Notification List

Available only when Send Notification is enabled.

Specify the usernames of the site admin users who receive notifications.

Back to top

Components preparation

In the Identity Provider Registration > Components Preparation tab, follow the on-screen instructions to deploy SP and fetch SP metadata.

Back to top

Next steps: