Skip to content

Configure Single Sign-On Enterprise

TestGen supports Single Sign-On (SSO) through any authentication provider that implements the OpenID Connect (OIDC) protocol, such as Okta, Microsoft Entra ID, or Auth0, or Ping Identity.

When SSO is enabled, users authenticate through your identity provider instead of using TestGen's built-in login. Admins can still assign roles to users from the User Access page.

Prerequisites

  • TestGen instance installed using dk-installer, as outlined in Install Enterprise.
  • An OIDC-compatible identity provider with a registered application. You will need: client ID, client secret, and the provider's server metadata URL.

Configure your identity provider

  1. Create a new application registration in your identity provider for TestGen.
  2. Set the redirect URI to your TestGen base URL (for example, https://testgen.example.com).
  3. Note the client ID, client secret, and server metadata URL for use in the next step.
  4. Optional. To grant admin access via SSO, create an admin role in your identity provider and assign it to the appropriate users. Configure the provider to include assigned roles in the roles claim of the ID token.

Configure TestGen

  1. Navigate to the directory that contains the docker-compose.yml file for TestGen.

  2. Create a file named sso_auth.toml in the same directory with the following content. Replace the placeholders with values from your identity provider. 

    [auth]
redirect_uri = "<testgen-base-url>"
cookie_secret = "<random-string>"
client_id = "<oidc-client-id>"
client_secret = "<oidc-client-secret>"
server_metadata_url = "https://<oidc-domain>/.well-known/openid-configuration"

  3. Add the following SSO environment variables under the x-common-variables section in docker-compose.yml. 

    x-common-variables: &common-variables
 TG_USE_SSO_AUTH: yes
 TG_SSO_ROLES_CLAIM: roles
 TG_DEFAULT_ROLE: <default-role>

  4. Add a volume mount to the engine service in docker-compose.yml to make the TOML file available to TestGen. 

    volumes:
 - type: bind
   source: ./sso_auth.toml
   target: /dk/.streamlit/secrets.toml

  5. Restart the application. 

    docker compose up -d --wait

How roles work with SSO

When a user logs in through SSO, TestGen checks the roles claim in the ID token for the value admin (case-insensitive). If found, the user is assigned the admin role. Otherwise, the user is assigned the default role specified by TG_DEFAULT_ROLE (defaults to business).

To set the claim name to something other than roles, update the TG_SSO_ROLES_CLAIM variable in docker-compose.yml.

Admins can assign other roles (such as Data Quality or Analyst) to users from the User Access page after the user's first login.

User Access

Install Enterprise