Configuring Authentication

Enterprise Tester supports the following authentication methods:

• Crowd
• LDAP
• Machine Source
• Enterprise Tester Database (local)
• SAML 2.0*
• Diagnosing Authentication

* SAML 2.0 is not configurable via the user interface and is incompatible with the other authentication methods. Please see the SAML 2.0 documentation for more details.

You can configure multiple authentication methods and set the priority of the configured methods. This means that if the primary authentication method fails, the secondary method is automatically employed, then the third and fourth.

For example, if you have configured the following authentication methods in the following order:

1. LDAP
2. Machine Source
3. Enterprise Tester Database

If a user cannot be authenticated against LDAP (the primary authentication mode in our example), authentication will automatically be attempted against the next method in the priority list (Machine Source). If the secondary method fails, the third method will be used and so on until the user is successfully authenticated or all methods have been exhausted.

To access the authentication configuration screens you will require application administration permissions to Enterprise Tester. Navigate to the Admin tab. Expand the Configuration folder and double click on Authentication.

Here you can configure new authentication methods or update existing ones. You can also arrange the priority of the configured methods as well as test your configured methods.

By default, Enterprise Tester uses the Enterprise Tester Database as the authentication method.  This method does not require configuration.  

Currently the database method cannot be removed or disabled. 

Adding Methods

• To add a method, click the ‘Add’ button then enter a name for the connection (Note: Currently editing of the connection name after creation is not supported) and select the method type.
• Once you click ‘OK’, the list of methods will refresh to include the new method.
• After creation the method is disabled, you must first configure the method, and then enable it, before it will be used.

---

Crowd

Crowd Authentication method provides the ability to integrate with Atlassian Crowd installations (including single sign-on).

Currently Enterprise Tester supports Authentication with Crowd however does not support Synchronization with Crowd.

When using Crowd, users will still need to be created in Enterprise Tester with the option External User selected. Ensure that the username matches the username in Crowd.

Identifying the Application

To use Crowd with Enterprise Tester you must configure a new application in Crowd, which will represent Enterprise Tester – see the Crowd user guide for details. Once the Crowd application has been added via the Crowd console you should see it in the list of applications (by clicking the ‘Applications’ tab):

In this case, our application name is the lower case ‘enterprisetester’ and this is the value that should be used for the application name in the configuration screen.

Configuring the Method in Enterprise Tester

The Crowd authentication method has the following configuration screen:

Field	Description	Example
Crowd Server	Crowd URL	http://localhost:8095/crowd/services/SecurityServer
Application Name	Name of the application in Crowd	e.g. EnterpriseTester
Password	Password to access Crowd	e.g. Password
Convert Localhost to IPV6	When enabled, the Crowd authentication method will automatically transform IPV4 loopback addresses and localhost host names to the equivalent IPV6 loopback address, when generating remote_address validation factor to be supplied to Crowd. It’s only necessary to enable this if you find validation is failing. Often this occurs when Enterprise Tester and Crowd are both running on the same server.

Additional Information

Integrating Enterprise Tester with Crowd is straight forward. For more information on how the Enterprise Tester Crowd implementation works, please review the blog post Integrating Enterprise Tester with Crowd.

---

LDAP

LDAP Authentication method provides a feature-rich authentication method suitable for use with LDAP Directories, including Active Directory.

Key Features:

• Configuration setting to allow user creation on first successful login
• Optional synchronization of Users, Groups and Group Memberships
• Manual or Automatic synchronization of Users and Groups
• Authentication only setting
• Support for SSL and StartTLS
• Deactivating users or user deletion

Enterprise Tester supports importing the following attributes into Enterprise Tester from LDAP:

1. First Name
2. Last Name
3. Email Address
4. Username
5. Phone Number

The LDAP Configuration has 2 components:

1. General configuration to your LDAP server; and
2. Synchronization set up.

General LDAP Setup

AD Explorer

AD Explorer is an open source tool that can assist with navigation of the Active Directory structure. It is useful in helping to generate the correct filter syntax settings described below. You can download the tool from the Microsoft Windows Sysinternal site.

https://technet.microsoft.com/en-us/sysinternals/bb963907.aspx

Basic Configuration

Field	Description	Example
LDAP Server	Enter LDAP Serve Name or IP Address	123.123.1.234
Port	Port number associated with the LDAP Server	389
Protocol Version	Version of LDAP	Version 2 (required for some older OpenLDAP installations) or Version 3 (Active Directory and new LDAP Directory implementations)
Authentication Type	Authentication Protocol	Anonymous, Basic, Negotiate, NTLM, Digest, Sicily, Dpa, Msn, External or Kerberos
SSL	Encryption Protocol	Check if using SSL
StartTLS	Encryption Protocol	Check if using StartTLS
Base DN	Name of the root node in LDAP from which to search for users	cn=users,dc=example,dc=com
Additional User DN	Prepended to the Base DN to limit the scope when searching for users
Additional Group DN	Prepended to the Base DN to limit the scope when searching for groups
Bind DN	Bind DN is the user and the node in LDAP where the user can be found (this is the user Enterprise Tester will authenticate to the LDAP directory as – they must have sufficient rights to query the LDAP directory)	Either a value distinguished name such as “cn=user,cn=Users, dc=example,dc=com”, an username@domain e.g. “joebloggs@mycompany.local” or left blank for anonymous authentication.
Bind Password	Password for the Bind DN user	Password, or left blank for anonymous authentication.
Search Attribute	The attribute in LDAP holding the login name	uid (common for OpenLDAP) or sAMAccountName (Active Directory)

Paging

Field	Description	Example
Enable Paging	When enabled, users will be returned in multiple pages rather than a single list. This is useful when you have a large number of users configured in LDAP, and where a non-paged request will fail because the query returns more than the allowable maximum – this should always be enabled for Active Directory.	True
User Page Size	Specify the number of users to return per page. The default value is 100. This value should ideally be configured to be the same as the maximum number of results which can be returned from a single query to ensure the least number of round trips when querying LDAP.	1000
Group Page Size	Specify the number of groups to return per page. The default value is 100. This value should ideally be configured to be the same as the maximum number of results which can be returned from a single query to ensure the least number of round trips when querying LDAP.	500

User Configuration

Field	Description	Example
Object Filter	Filter user for retrieving all users	(&(objectCategory=Person)(sAMAccountName=*))
Search Filter Template	Filter used for searching by name or partial name.	(&(objectCategory=Person)(sAMAccountName={0}))
User Name Attribute	User Name Attribute	uid (common for OpenLDAP) or sAMAccountName (Active Directory)
First Name Attribute	First Name Attribute	givenName
Last Name Attribute	Last Name Attribute	sn
Email Attribute	mail
Telephone Attribute	Phone Attribute	telephoneNumber

Group Configuration

Field	Description	Example
Object Filter	Group Object Filter	(&(objectCategory=Group)
Search Filter Template	Group Search Filter Template	(&(objectCategory=Group)(cn={0}))
Name Attribute	Group Name Attribute	cn
Description Attribute	Group Description Attribute	description

Group Member Configuration

Field	Description	Example
Group Member Attribute	Members attribute of group	member
Group Members Filter	Members Attribute Filter	(objectClass=user)

Once you have completed your configuration, select ‘Save’ at the bottom of the page.

When connecting to an OpenLDAP directory, group membership synchronisation has the following limitations

1. The OpenLDAP schema must store members of a group using the full DN of a user rather than just the Uid value. E.g. Uid=Joe-Bloggs, OU = Users, OU = Department, DC = Corp, DC = Com.
2. The Group Members Filter should be configured to identify the group object type(s) that will be searched, rather than the member object type. E.g. (objectClass=posixGroup)

Group Member Configuration Example for OpenLDAP

Field	Description	Example
Group Member Attribute	Members attribute of group	memberUid
Group Members Filter	Members Attribute Filter	(objectClass=posixGroup)

Synchronization

The synchronization section allows you to set up the synchronization mode, the frequency of synchronization and any default groups you wish to have new users added to when being synchronized with Enterprise Tester.

Field	Description	Example
Mode	Select the type of integration you would like with LDAP	Authentication only – LDAP is used to authenticate users onlySynchronization – Users, Groups and Group Memberships are automatically created in Enterprise TesterCreate User on Successful Authentication – New users are automatically created on first login if they are successfully authenticated in LDAP
Schedule	Synchronization Frequency	Manual Synchronization, Every Hour, Every 2 Hours, Every 4 hours, Every 8 Hours and Every 24 Hours.
Synchronize Users	Select to synchronize Users from LDAP	Check to synchronize users
Synchronize Groups	Select to synchronize Groups from LDAP	Check to synchronize Groups
Synchronize Group Members	Select to synchronize Groups from LDAP	Check to synchronize Group Members for each user

Default Groups

In the Default Group section you can configure all the groups you would like users to automatically be assigned to when they are created through synchronization with LDAP or through successful authentication on first login, this is in addition to any group memberships that user may have been automatically added if “Synchronize Group Members” is checked.

Unless you specify at least one default group (and assign that group view permissions for at least 1 project) any users created as a result of using the “Create User on Successful Authentication” option will be unable to use Enterprise Tester.

Additional References

• STARTTLS
• DN (Dinstguished Name)
• Common Default Attributes Set for Active Directory

---

Machine

The machine source is a flexible method supporting authenticating users against the following three sources of user information:

• Active Directory
• Local Machine Users i.e. if the machine is not a member of a domain. This is also great for testing some authentication scenarios.
• AD LDS (Active Directory Lightweight Directory Services) – see here(http://technet.microsoft.com/en-us/library/cc755080%28WS.10%29.aspx) for more details.

The machine source only works with Active Directory, and not other LDAP directories. Because of this fact it’s also a great deal easier to configure – if you wish to authenticate against the same domain as the server belongs to then no configuration is required what so ever!

Machine Source Authentication method provides a simple interface for accessing the local machine or Active Directory user and group information. This is useful for small AD deployments.

Field	Description	Example
Type	The type of users source, possible options are: Active Directory Domain, Active Directory LDS Store, or Local Machine	Local Machine
Name	Optional name of the server (either as the source of “local” users, or the active directory domain controller)	corp01
Container	Use this only for Active Directory Domain or Active Directory LDS Store. This is the distinguished name of a container object for users/groups, this should be left blank for Local Machine users.	cn=users,dc=mycompany,dc=com
User Name	Username to access the directory/machine (can normally be left blank).	Administrator
Password	Password to access the directory/machine (can normally be left blank).	********
Binding Type	The authentication mode:Negotiate: The client is authenticated by using either Kerberos or NTLM. When the user name and password are not provided, the Account Management API binds to the object by using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread represents.Simple Bind: The client is authenticated by using the Basic authentication. Caution Communications may be sent over the Internet in clear text if the SecureSocketsLayer option is not specified with simple bind.	Simple Bind
Sealing	The data is encrypted by using Kerberos. This flag can only be used with the Negotiate context option and is not available with the simple bind option.	Unchecked
Secure Socket Layer	The channel is encrypted by using the Secure Sockets Layer (SSL). Active Directory requires that the Certificate Services be installed to support SSL.	Unchecked
Sever Bind	Specify this flag when you use the domain context (Active Directory Domain type) if the application is binding to a specific server name.	Checked
Signing	The integrity of the data is verified. This flag can only be used with the Negotiate context option and is not available with the simple bind option.	Unchecked

Synchronization

You can configure automatic synchronization of users, groups and group memberships from Active Directory.

Field	Description	Example
Mode	Select the type of integration you would like with the machine source.	1. Authentication only –AD is used to authenticate users only 2. Synchronization – Users, Groups and Group Memberships are automatically created in Enterprise Tester 3. Create User on Successful Authentication – New users are automatically created on first login if they are successfully authenticated in LDAP
Schedule	Synchronization Frequency	Manual Synchronization, Every Hour, Every 2 Hours, Every 4 hours, Every 8 Hours, Every 24 Hours
Synchronize Users	Select to synchronize Users from the machine source	Check to synchronize users
Synchronize Groups	Select to synchronize Groups from the machine source	Check to synchronize Groups
Synchronize Group Members	Select to synchronize Groups from the machine source	Check to synchronize Group Members

---

SAML 2.0

Enterprise Tester with SAML 2.0 capable identity provider services

Enterprise Tester supports SAML 2.0 connections to an external Identity Provider (IdP).

While ET should work with most IdPs that support SAML 2.0, we currently only test with the following IdPs:

• Okta
• Microsoft Azure Active Directory

This article will cover the basics, from the Enterprise Tester side of the configuration, and then provide an example of setting up Okta with Enterprise Tester showing both Okta and Enterprise Tester configuration.

Tips

• While a SAML 2.0 configuration is enabled, it will also be enforced when attempting to log into the application GUI. This means that local user accounts and passwords will no longer work for this purpose.
• Enterprise Tester API requests do not support SAML 2.0. The existing API authentication methods will continue to work as normal whether SAML 2.0 is configured or not.
• Enterprise Tester SAML 2.0 connections only handle authentication. User accounts, groups and permissions must be configured in Enterprise Tester separately.

SAML 2.0 Configuration Basics

Currently, a SAML 2.0 connection cannot be configured via the Enterprise Tester user interface; It must, instead, be configured via a configuration file located on the server Enterprise Tester is running on.  This is done by adding several key/value pairs to the appSettings section of the web.config file.  For more information about appSettings, please refer here.

To be able to configure several of the following properties, the IdP must be prepared first.  The process will differ in different IdPs, an example of configuring Okta is given further down in this article.

Key	Purpose	Default Value	Example	Notes
SAML.Enabled	To turn SAML support on or off	false	<add key=”SAML.Enable” value=”true”/>	Required setting
SAML.Provider	Used to switch between implementation styles of SAML 2.0	n/a	<add key=”SAML.Provider” value=”Microsoft” />	Optional setting This should usually be set to “Microsoft” but may need to be omitted all-together, depending on IdP
SAML.Issuer	IDP Issuer URL	n/a	<add key=”SAML.Issuer” value=”http://www.okta.com/cKZ3800234nlvM8s”/>	Required setting Requires IdP configuration first
SAML.IDP	IDP SSO URL	n/a	<add key=”https://cust.okta.com/app/appname/cKZ3800234nlvM8s/sso/saml”/>	Required setting Requires IdP configuration first
SAML.Certificate	X.509 Certificate	n/a	<add key=”—–BEGIN CERTIFICATE—– certificate body —–END CERTIFICATE—–“/>	Required setting Should be entered as a single line and should include the begin and end certificate tags Requires IdP configuration first
SAML.Logout	URL that a user will be redirected to if they choose to log out of Enterprise Tester	Enterprise Tester Login URL	<add key=”SAML.Logout” value=”https://myapps.microsoft.com”/>	Optional setting If not configured, a user choosing the logout option will be automatically logged back in again provided there session is still active with the IdP.

Example of the configuration as it might appear in the web.config file alongside other settings

<appSettings>
    <add key="site.root.url" value="https://apps.corp.com/et" />
    <add key="Licensing.ServerKey.GenerationMode" value="Stable" />
    <add key="migration.providerName" value="Migrator.Providers.SqlServer.SqlServer2005Dialect" />
    <add key="PathService.PackagePathSeparator" value="|" />
    <add key="aspnet:MaxHttpCollectionKeys" value="10000" />
    <add key="attachment.storage.method" value="FileSystemCas" />
<!-- SAML CONFIGURATION START -->
    <add key="SAML.Enabled" value="True" />
    <add key="SAML.Provider" value="Microsoft"/>
    <add key="SAML.Issuer" value="http://www.okta.com/cKZ3800234nlvM8s" />
    <add key="SAML.IDP" value="https://cust.okta.com/app/appname/cKZ3800234nlvM8s/sso/saml" />
    <add key="SAML.Logout" value="https://catchsoftware.com" />
    <add key="SAML.Certificate" value="-----BEGIN CERTIFICATE----- LIIC2jCCAkMCAg38MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNEREMRgwFgY4VQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdlYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIwODIyMDUyNzQxWhcNMTcwODIxMCUyNzQxWjBKMQswCQYDVQQGEuJKUDEOMAwGA1UECAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0z9FeMynsC8+udvX+LciZxnh5uRj4C9S6tNeeAlIGCfQYk0zUcNFCoCkTknNQd/YEiawDLNbxYqutbMDZ1aarys1a0lYmUeVLCIqvzBkPJTSQsCopQQ9V8WuT252zzNzs68dVGNdCJd5JNRQykpwexmnjPPv0mvj7i8XgG379TyW6P+WWV5okeUkXJ9eJS2ouDYdR2SM9BoVW+FgxDu5BmXhozW5EfsnajFp7HL8kQClI0QOc79yuKl3492rH6bzFsFn2lfwWy9ic7cP8EpCTeFp1tFaD+vxBhPZkeTQ1HKx6hQ5zeHIB5ySJJZ7af2W8r4eTGYzbdRW24DDHCPhZAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAQMv+BFvGdMVzkQaQ3/+2noVz/uAKbzpEL8xTcxYyP3lkOeh4FoxiSWqy5pGFALdPONoDuYFpLhjASZaEwuvjI/TrrGhLV1pRG9frwDFshqD2Vaj4ENBCBh6UpeBop5+285zQ4SI7q4U9oSebUDJiuOx6+tZ9KynmrbJpTSi0+BM= -----END CERTIFICATE-----" />
<!-- SAML CONFIGURATION END -->
</appSettings>

Example – Enterprise Tester with Okta

Okta is an enterprise-grade, identity management service, built for the cloud, but compatible with many on-premises applications. With Okta, IT can manage any employee’s access to any application or device. Okta runs in the cloud, on a secure, reliable, extensively audited platform, which integrates deeply with on-premises applications, directories, and identity management systems.

https://www.okta.com

Configuring Okta

1) In Okta, create Enterprise Tester integration using SAML 2.0.

2) In Okta the SAML General Settings need to contain the following.

• Single Sign URL – this must be your Enterprise Tester instance e.g https://enterprisetester/authentication/SAML2.rails
• Audience URI – this is A9CC4713-F3D5-4321-9C19-14A58E117364
  
  

3) Make sure you record IDP information when selecting the “View Setup Instructions”.

Configuring Enterprise Tester to use Okta

Add the following keys to the appSettings section in the Enterprise Tester web.config file.  Note: Values used within these appsettings will be available after completing the Okta configuration above.

1) Enable SAML Support

<add key="SAML.Enabled" value="true" />

2) IDP Issuer

<add key="SAML.Issuer"value="<IDP Issuer>"/>

3) IDP SSO URL

<add key="SAML.IDP"value="<IDP SSO URL>"/>

4) X.509 Certificate

<add key="SAML.Certificate"value="<X.509 Certificate>"/>

5) Specify logout url

Do not add an Enterprise Tester URL here or users will be automatically logged back into Enterprise Tester.The Okta applications page is a suggested url that could be added.

<add key="SAML.Logout"value="https://your_selected_logout_page"/>

SHA-256 XML Signature Support

SAML 2.0 uses the SHA-256 encyrption protocol if this is not enabled on your server you will need to do the following.

On the Enterprise Tester server:

1. Download CLR Security Update
   http://clrsecurity.codeplex.com/releases/view/47764
2. Download GACUTIL from here:  http://www.microsoft.com/en-us/download/confirmation.aspx?id=19988.
3. Extract Security.Cryptography.dll assembly
4. Add Security.Cryptography.dll toGAC full path... gacutil.exe /i Security.Cryptography.dll
5. View Security.Cryptography.dll assembly gacutil.exe /l Security.Cryptography
6. Update machine.config in C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config and C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config. Insert the following code block after <system.web> section in <configuration> 

<mscorlib>
 <cryptographySettings>
   <cryptoNameMapping>
     <cryptoClasses>
       <cryptoClass RSASHA256SignatureDescription="Security.Cryptography.RSAPKCS1SHA256SignatureDescription, Security.Cryptography, Version=1.6.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
     </cryptoClasses>
     <nameEntry name="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"class="RSASHA256SignatureDescription"/>
   </cryptoNameMapping>
 </cryptographySettings>
</mscorlib> 

---

Diagnosing Authentication

Diagnosing authentication issues can be difficult – there are a number of possible issues that can occur:

• Incorrectly configured authentication method
• Authentication methods are disabled
• Servers etc. that methods rely on cannot be contacted
• Username does not exist
• Username exists in directory, but does not exist in Enterprise Tester
• Password is incorrect

On the authentication methods toolbar select Test Authentication:

You can then check your authentication method from the screen.

Enter a username and password, then click “Run Test” button which will then attempt to authenticate the user against all enabled authentication methods.

• Overall success is reported via two fields “Success” and “User Exists”.  Both these must be true for the user to be able to log into Enterprise Tester successfully.
• By clicking the plus icon next to a row you can see authentication details