SSO authentication
This topic describes how to set up single sign-on (SSO) authentication for connecting to OpenText Enterprise Performance Engineering. This enables users to log in to OpenText Enterprise Performance Engineering and Administration using SSO.
Note: SSO is supported with a secure HTTP connection only (SSL configured environment).
Overview
You can configure OpenText Enterprise Performance Engineering with SSO authentication. This way, users can use single sign-on for logging into OpenText Enterprise Performance Engineering as they do with other SSO applications.
To facilitate single sign-on, the OpenText Enterprise Performance Engineering service provider (SP) sends an authentication request to the Identity Provider (IdP), which is an online service that authenticates users using security tokens.
Service providers and protocols
OpenText Enterprise Performance Engineering's SSO integration uses the SAML2 protocol for authentication with IdPs. OpenText Enterprise Performance Engineering can use any IdP that supports SAML2.
The following IdPs have been tested with OpenText Enterprise Performance Engineering: ADFS, Azure AD, Bitium, Centrify, Google, MVC, OWIN, Okta, OneLogin, PingOne, Salesforce, Shibboleth, and WSO2 Identity Server.
Handling existing internal users
All users must be in the database before they can be authenticated using any one of the authentication types. For example, all SSO users must be in OpenText Enterprise Performance Engineering before you switch to SSO authentication. For details on creating users, see Create or edit a user.
Prerequisites
This section describes the prerequisites for setting up SSO authentication in OpenText Enterprise Performance Engineering.
Note: For details on how to configure the IdP you are using, see the documentation provided by your IdP.
-
Configure OpenText Enterprise Performance Engineering to work with HTTPS.
SSO is supported with a secure HTTP connection only (SSL configured environment). For details, see Install.
-
Issue a certificate and export private information.
Create a certificate for the OpenText Enterprise Performance Engineering service provider using any certificate tool, such as OpenSSL, and extract the private information from it (the certificate should be a .pfx file).
-
Upload the local certificate to Administration.
-
In Administration, select Configuration > Site Configuration, and click the Authentication Type tab.
-
Expand the SSO section, and click the Upload button.
-
Select the name of the local certificate file to use to integrate with the IdP from OpenText Enterprise Performance Engineering, and then click Open.
-
In the Local Certificate Password field, enter the password that was used for generating the certificate.
-
Click Save.
-
-
Share OpenText Enterprise Performance Engineering’s metadata and the certificate with the IdP.
-
Click Download Metadata to download the local SAML metadata file and the OpenText Enterprise Performance Engineering certificate.
-
Send the OpenText Enterprise Performance Engineering metadata and certificate file to your ldP.
-
-
Configure the IdP.
In the IdP, make sure that you create two applications, one for Administration (Admin) and one for OpenText Enterprise Performance Engineering (LoadTest).
-
Add the initial user to SSO (recommended).
The first user created in OpenText Enterprise Performance Engineering has site administrator permissions, and can perform any action in the OpenText Enterprise Performance Engineering system.
Tip: We recommend adding this user to the SSO. Later, you can add additional IdP users and make them administrator users.
Configure SSO authentication
Configure OpenText Enterprise Performance Engineering and its service provider for SSO authentication.
Note: We recommend using Two-Factor Authentication and/or Captcha when using SSO authentication.
-
In Administration, select Configuration > Site Configuration, and click the Authentication Type tab.
-
Expand the SSO section and enter the following:
UI Element Description Admin -
SP Identity. Enter the OpenText Enterprise Performance Engineering service provider identifier.
-
Issuer Identity Provider. Enter a unique identifier of the IdP. Includes ADFS, Azure AD, Bitium, Centrify, Google, MVC, OWIN, Okta, OneLogin, PingOne, Salesforce, Shibboleth, and WSO2 Identity Server.
-
Single Sign on Link. Enter the SSO link you created in the IdP for accessing the Administration application.
-
Single Logout Link. Enter the link you created in the IdP for logging out the Administration application. When a user logs out from Administration, they are automatically logged out from all connected applications that were authenticated using the IdP. After a user logs out, the SSO login screen is displayed.
-
Partner Certificate File. Click Upload and select the partner certificate file you downloaded from the IdP. The supported certificate types are .cert, .cer, .pfx.
LoadTest -
SP Identity. Enter the OpenText Enterprise Performance Engineering service provider identifier.
-
Issuer Identity Provider. Enter a unique identifier of the IdP. Includes ADFS, Azure AD, Bitium, Centrify, Google, MVC, OWIN, Okta, OneLogin, PingOne, Salesforce, Shibboleth, and WSO2 Identity Server.
-
Single Sign on Link. Enter the SSO link you created in the IdP for accessing the OpenText Enterprise Performance Engineering application.
-
Single Logout Link. Enter the link you created in the IdP for logging out the OpenText Enterprise Performance Engineering application. When a user logs out from OpenText Enterprise Performance Engineering, they are automatically logged out from all connected applications that were authenticated using the IdP. After a user logs out, the SSO login screen is displayed.
-
Partner Certificate File. Click Upload and select the partner certificate file you downloaded from the IdP. The supported certificate types are .cert, .cer, .pfx.
User login column Select whether to login using your user name or email for SSO authentication.
Description (Optional) Add a description of the SSO authentication. Token timeout (minutes) Set the expiration timeout for a SSO authentication token. For details, see Integrations.
Default value: 1 minute
-
-
Click Save to save your settings.
To revert back to the last saved SSO settings, click the Restore button
.
-
Click Select this authentication type to set external SSO authentication as the authentication type for all users.
Test SSO authentication
This section describes how to test SSO authentication for the OpenText Enterprise Performance Engineering user interface.
-
To log in to OpenText Enterprise Performance Engineering using SSO, enter the OpenText Enterprise Performance Engineering or Administration URL. You should be redirected to your IdP’s login screen.
-
Log in with the OpenText Enterprise Performance Engineering admin credentials.
- For OpenText Enterprise Performance Engineering: You are redirected to the OpenText Enterprise Performance Engineering Login window from which you need to select a domain and project (the user name and password are already filled in).
- For Administration: You are redirected to Administration and you can now use the application.
Integrations
When SSO authentication is enabled on the OpenText Enterprise Performance Engineering server, other OpenText products (VuGen, Analysis, and Entity Unlocker) can integrate securely with OpenText Enterprise Performance Engineering using a single set of credentials.
You can set the expiration timeout for SSO authentication in the Token Timeout field. For details, see Configure SSO authentication.
You can set a maximum timeout value for SSO authentication globally from the configuration file. Go to <Server_installdir>\LRE_BACKEND\ and open the appsettings.defaults.json file. In the SiteSSOOptions section, enter a maximum timeout value (in minutes).
Note: Configuring a timeout value in the Token Timeout field higher than the maximum timeout value results in an error.
Notes and limitations
The following are notes and limitations when using SSO authentication:
-
When enabling single-sign on with Azure Active Directory as the IdP, the internal URLs for the OpenText Enterprise Performance Engineering and Administration applications must use
https
and nothttp
. -
If you have SSO configured and you upgrade from 2023 or earlier, you need to manually copy the certificates from PCWEB_ADMIN\Certificates to LRE_ADMIN\binary\Certificates.
-
OpenText Enterprise Performance Engineering does not support HTTP-Redirect (GET) binding for SSO authentication requests; only HTTP-POST binding is supported.
See also: