SSO authentication

This topic describes how to set up single sign-on (SSO) authentication for connecting to LoadRunner Enterprise. This enables users to log in to LoadRunner Enterprise and LoadRunner Enterprise Administration using SSO.

Overview

You can configure LoadRunner Enterprise with SSO authentication. This way, users can use single sign-on for logging into LoadRunner Enterprise as they do with other SSO applications.

To facilitate single sign-on, the LoadRunner Enterprise service provider (SP) sends an authentication request to the Identity Provider (IdP), which is an online service that authenticates users using security tokens.

Service providers and protocols

LoadRunner Enterprise's SSO integration uses the SAML2 protocol for authentication with IdPs. LoadRunner Enterprise can use any IdP that supports SAML2.

The following IdPs have been tested with LoadRunner Enterprise: ADFS, Azure AD, Bitium, Centrify, Google, MVC, OWIN, Okta, OneLogin, PingOne, Salesforce, Shibboleth, and WSO2 Identity Server.

Handling existing internal users

All users must be in the LoadRunner Enterprise database before they can be authenticated using any one of the authentication types. For example, all SSO users must be in LoadRunner Enterprise before you switch to SSO authentication. For details on creating users, see Create a new user.

Prerequisites for SSO authentication

This section describes the prerequisites for setting up SSO authentication in LoadRunner Enterprise.

Note: For details on how to configure the IdP you are using, see the documentation provided by your IdP.

Issue a certificate and export private information.

Create a certificate for the LoadRunner Enterprise service provider using any certificate tool, such as OpenSSL, and extract the private information from it (it should be a .pfx file).
Upload the local certificate to LoadRunner Enterprise Administration.
1. In LoadRunner Enterprise Administration, select Configuration > Site Configuration, and click the Authentication Type tab.
2. Expand the SSO section, and click the Upload button adjacent to the Local Certificate File field.
3. Select the name of the local certificate file to use to integrate with the IdP from LoadRunner Enterprise, and then click Open.
  
  Note: For LoadRunner Enterprise 2021 and 2021 R1, click Save, and skip to Share LoadRunner Enterprise’s metadata and the certificate with the IdP (LoadRunner Enterprise 2021 and 2021 R1 only).
4. In the Local Certificate Password field, enter the password that was used for generating the certificate.
5. Click Save.
Share LoadRunner Enterprise’s metadata and the certificate with the IdP.
1. Click Download Metadata to download the local SAML metadata file and the LoadRunner Enterprise certificate.
2. Send the LoadRunner Enterprise metadata and certificate file to your ldP.
Configure the IdP.

In the IdP, make sure you create two applications—one for LoadRunner Enterprise Administration (Admin) and one for LoadRunner Enterprise (LoadTest).
Add the initial user to SSO (recommended).

The first user created in LoadRunner Enterprise has site administrator permissions and is allowed to perform any action in the LoadRunner Enterprise system.

Tip: We recommend adding this user to the SSO. Later, you can add additional IdP users and make them administrator users.

Configure SSO authentication

Configure LoadRunner Enterprise and its service provider for SSO authentication.

In LoadRunner Enterprise Administration, select Configuration > Site Configuration, and click the Authentication Type tab.

Expand the SSO section and enter the following:

UI Element	Description
Admin	SP Identity. Enter the LoadRunner Enterprise service provider identifier. Issuer Identity Provider. Enter a unique identifier of the IdP. Includes ADFS, Azure AD, Bitium, Centrify, Google, MVC, OWIN, Okta, OneLogin, PingOne, Salesforce, Shibboleth, and WSO2 Identity Server. Single Sign on Link. Enter the SSO link you created in the IdP for accessing the LoadRunner Enterprise Administration application. Single Logout Link. Enter the link you created in the IdP for logging out the LoadRunner Enterprise Administration application. When a user logs out from LoadRunner Enterprise Administration, they are automatically logged out from all connected applications that were authenticated using the IdP. After a user logs out, the SSO login screen is displayed. Partner Certificate File. Click Upload and select the partner certificate file you downloaded from the IdP. The supported certificate types are .cert, .cer, .pfx.
LoadTest	SP Identity. Enter the LoadRunner Enterprise service provider identifier. Issuer Identity Provider. Enter a unique identifier of the IdP. Includes ADFS, Azure AD, Bitium, Centrify, Google, MVC, OWIN, Okta, OneLogin, PingOne, Salesforce, Shibboleth, and WSO2 Identity Server. Single Sign on Link. Enter the SSO link you created in the IdP for accessing the LoadRunner Enterprise application. Single Logout Link. Enter the link you created in the IdP for logging out the LoadRunner Enterprise application. When a user logs out from LoadRunner Enterprise, they are automatically logged out from all connected applications that were authenticated using the IdP. After a user logs out, the SSO login screen is displayed. Partner Certificate File. Click Upload and select the partner certificate file you downloaded from the IdP. The supported certificate types are .cert, .cer, .pfx.
Local Certificate File (LoadRunner Enterprise 2021 and 2021 R1 only)	Click Upload and select the name of the local certificate file to use to integrate with the IdP from LoadRunner Enterprise.
Local Certificate Password (LoadRunner Enterprise 2021 and 2021 R1 only)	Enter the password that was used for generating the certificate.
User Login column	Select whether to login using your username or email for SSO authentication.
Description	(Optional) Add a description of the SSO authentication.
Token Timeout (minutes)	Set the expiration timeout for a SSO authentication token. For details, see Integrate with other Micro Focus products. Default value: 1 minute

Click Save to save your settings.

To restore the default SSO settings, click Restore.
Click Select this authentication type to set external SSO authentication as the authentication type for all users.

The selected authentication type is indicated by .

Test SSO authentication

This section describes how to test SSO authentication for the LoadRunner Enterprise user interface.

To log in to LoadRunner Enterprise using SSO, navigate to the LoadRunner Enterprise or LoadRunner Enterprise Administration URL. You should be redirected to your IdP’s login screen.
Log in with the LoadRunner Enterprise admin credentials.
- For LoadRunner Enterprise: You are redirected to the LoadRunner Enterprise Login window from which you need to select a domain and project (the username and password are already filled in).
- For LoadRunner Enterprise Administration: You are redirected to LoadRunner Enterprise Administration and you can now use the application.

Integrate with other Micro Focus products

Supported in versions: LoadRunner Enterprise 2021 R1 and later

When SSO authentication is enabled on the LoadRunner Enterprise server, other Micro Focus products (VuGen, Analysis, and Entity Unlocker) can integrate securely with LoadRunner Enterprise using a single set of credentials.

You can set the expiration timeout for SSO authentication in the Token Timeout field. For details, see Configure SSO authentication.

You can set a maximum timeout value for SSO authentication globally from the configuration file. Navigate to <LoadRunner Enterprise server installation>\LRE_BACKEND\ and open the appsettings.default.json file. In the SiteSSOOptions section, enter a maximum timeout value (in minutes).

Note: Configuring a timeout value in the Token Timeout field higher than the maximum timeout value results in an error.

Notes and limitations

The following are notes and limitations when using SSO authentication:

When enabling single-sign on with Azure Active Directory as the IdP, the internal URLs for the LoadRunner Enterprise and LoadRunner Enterprise Administration applications must use https and not http.
(LoadRunner Enterprise 2021 only) When LoadRunner Enterprise is configured with SSO authentication, the following are not supported: REST APIs, Analysis integration, VuGen integration, and Entity Unlocker.