Skip to content

Configure Single Sign-On Enterprise

TestGen supports Single Sign-On (SSO) through any authentication provider that implements the OpenID Connect (OIDC) protocol, such as Okta, Microsoft Entra ID, or Auth0, or Ping Identity.

When SSO is enabled, users authenticate through your identity provider instead of using TestGen's built-in login. System administrators can still assign roles to users and manage project membership from the Administration console.

Prerequisites

  • TestGen instance installed using dk-installer, as outlined in Install Enterprise.
  • An OIDC-compatible identity provider with a registered application. You will need: client ID, client secret, and the provider's server metadata URL.

Configure your identity provider

  1. Create a new application registration in your identity provider for TestGen.
  2. Set the redirect URI to your TestGen base URL (for example, https://testgen.example.com).
  3. Note the client ID, client secret, and server metadata URL for use in the next step.
  4. Optional. To grant system administrator access via SSO, create an admin role in your identity provider and assign it to the appropriate users. Configure the provider to include assigned roles in the roles claim of the ID token.

Configure TestGen

  1. Navigate to the directory that contains the docker-compose.yml file for TestGen.

  2. Create a file named sso_auth.toml in the same directory with the following content. Replace the placeholders with values from your identity provider. 

    [auth]
redirect_uri = "<testgen-base-url>"
cookie_secret = "<random-string>"
client_id = "<oidc-client-id>"
client_secret = "<oidc-client-secret>"
server_metadata_url = "https://<oidc-domain>/.well-known/openid-configuration"

  3. Add the following SSO environment variables under the x-common-variables section in docker-compose.yml. 

    x-common-variables: &common-variables
 TG_USE_SSO_AUTH: yes
 TG_SSO_ROLES_CLAIM: roles
 TG_DEFAULT_ROLE: <default-role>

  4. Add a volume mount to the engine service in docker-compose.yml to make the TOML file available to TestGen. 

    volumes:
 - type: bind
   source: ./sso_auth.toml
   target: /dk/.streamlit/secrets.toml

  5. Restart the application. 

    docker compose up -d --wait

How roles work with SSO

When a user logs in through SSO, TestGen checks the roles claim in the ID token for the value admin (case-insensitive). If found, the user is granted system administrator access. The user's project-level roles are managed separately through project membership.

To set the claim name to something other than roles, update the TG_SSO_ROLES_CLAIM variable in docker-compose.yml.

System administrators can assign project roles (such as Data Quality or Analyst) to users from the Administration console after the user's first login.

User Access

Install Enterprise