Introduction

Implementing SCIM 2.0 for provisioning and de-provisioning users provides a standardized and efficient method for managing user identities across various systems and applications. It involves the automated creation, updating, and removal of user accounts across multiple systems.

QMetry supports SCIM 2.0 for automatic user provisioning and de-provisioning, which reduces manual intervention and potential errors. Its other benefits are:

• It ensures consistency of user data across multiple systems, reducing the risk of discrepancies or outdated information.

• It streamlines the user lifecycle management process, saving time and resources for both IDPs and SPs.

• It helps enforce access control policies and maintain data security by promptly removing access for deactivated users.

Step 1. Enable SCIM in QMetry

Enabling SCIM in QTM involves configuring the application to support the SCIM standard and setting up the necessary endpoints and authentication mechanisms to communicate with an identity provider like Okta.

First, you need to enable the SCIM Provisioning in QTM.

Steps:

1. Log into QTM with Super Admin credentials.

2. Go to Integration > SCIM.

3. SCIM Provisioning: Enable the option to enable SCIM Provisioning.

The screen displays the following options and details.

• Base URL: The QTM instance on which the Okta is configured. For example, https://testmanagement.qmetry.com/scim/v2.

• Supported SCIM 2.0 tool: Okta. Use the following syntax for Group Name and Custom Attribute in Okta.

  • Group Name: QMetry_{ProjectKey}_{Role} for QMetry project and role mapping.

  • Custom Attribute: QMetry_User_LicenseType for license type mapping regular and read-only.

Open

The confirmation message pops up once you enable the SCIM Provisioning settings.

4. Click “Yes” to proceed. The success message pops up.

Allotting and Managing User License Types (Regular or Read-Only)

QMetry allows the admin to choose how to manage user license types—either automatically or manually—through QMetry or SCIM. The admin can select from the following options:

• Automatic Management: QMetry will automatically assign and manage user license types based on the user's assigned projects, roles, and available licenses.

  • If a user is assigned only read-only roles for all projects, QMetry will automatically assign a "Read-Only" license, provided there are available Read-Only licenses.

  • If a user has at least one project with a non-read-only role, QMetry will automatically assign a "Regular" license, as long as Regular licenses are available.

• Manual Management: The SCIM administrator can manually assign and manage user license types using the custom attribute QMetry_User_LicenseType.

Understanding Scenarios for Automatic User License Management in QMetry

QMetry intelligently assigns and manages user licenses based on the user's assigned projects, roles, and available licenses. Below are different scenarios outlining how licenses are allotted:

Scenario A - Has Sufficient Regular Licenses and Read Only License Remaining.

Scenario B - Has Sufficient Regular Licenses and No Read Only License Remaining/Not Purchased

Scenario C - Regular Licenses Exhausted and Read Only License are available

Step 2. Create SAML App Integration in Okta

You can create SAML app integration in Okta and enable secure single sign-on (SSO) for your users accessing the application.

To create SAML app integration in Okta, follow the steps mentioned below.

Steps

1. Log into the Okta Admin account.

2. Go to Applications > Applications.

3. Click on the Create App Integration button.

Open

4. Select SAML 2.0 as the Sing-in method.

5. Click Next.

Open

6. Enter the App Name and click Next.

Open

7. Enter the following details.

• Single sign-on URL: Enter URL with the OrgCode.

• Select Use this for Recipient URL and Destination URL.

• Audience URI (SP Entity ID): Enter your application's Entity ID, i.e., orgcode.

• Application username: The default value to use for a user's application username. Select “Okta username prefix” on the list.

8. Click Next.

Open

9. Select This is an internal app that we have created.

10. Click Finish.

Open

The integration is created in the Okta org. You can modify your integration's parameters and assign them to users.

Step 3. Add SCIM Provisioning in Okta

You can add SCIM provisioning in Okta for the QTM application, allowing for automated user provisioning and management between Okta and the QTM application.

Steps

1. Once the app integration is created in Okta, open the created app by clicking on it.

Open

2. Open the General tab.

3. Click Edit to edit the App Settings.

Open

4. Provisioning: Select SCIM to enable the provisioning for SCIM.

5. Click Save to save the settings.

Open

The Provisioning tab will be visible.

Step 4. Select Provisioning Options

QTM supports the following provisioning features.

• Push New Users

• Push Profile Updates

• Push Groups

Steps

1. On the integration's settings page, open the Provisioning tab. The SCIM connection settings appear under Settings > Integration.

2. Edit the SCIM Connection settings by clicking on the Edit button.

Open

3. Enter the following details:

• SCIM connector base URL: Enter the SCIM connector base URL. You can get the Base URL from Integration > SCIM in QMetry. The syntax for the SCIM connector base URL is {QTM_url}/scim/v2. For example, https://qtmcloud.qmetry.com/scim/v2

• Unique identifier field for user: Enter the field name of the unique identifier for the users on the SCIM server. This is a static parameter value. For example, userName.

• Supported provisioning actions: Select the provisioning actions supported by the SCIM Server. The following provisioning features are supported:

  • Push New Users: This option populates the Settings > To App page, and contains settings for all the user information that flows from Okta into the SCIM app.

  • Push Profile Updates: This option populates the Settings > To App page, and contains settings for all profile information that flows from Okta into the SCIM app.

  • Push Groups: This option populates the Settings > To App page, and contains settings for all group information that flows from Okta into the SCIM app.

• Authorization Mode: This is the mode you want Okta to use to connect to your SCIM app. Select HTTP Header.

• Authorization: To authenticate using HTTP Header, you need to provide a bearer token that will provide authorization against your SCIM app. Enter the Open API Key of the Super Admin of the QTM instance.

Steps to generate the Open API Key

1. Login to the QMetry Test Management.

2. Go to Integration > Open API.

3. Locate the Generate Open API section and click on Generate to generate Open API Key.

4 Copy the key and paste it into the Authorization field in Okta.

Open

 

4. Click on the Test Connector Configuration to test the configuration.

Open

The success message appears on the successful configuration of the connector. Close the pop-up.

Open

5. Once the connector configuration is successful, click Save to save the configuration.

Step 5. Configuration Settings for “To App” Provisioning

When configuring "To App" provisioning in Okta, you'll need to define several settings that enable the synchronization of user data from Okta to the QTM application.

Steps

1. Log into Okta with an Admin account.

2. Go to Applications > Applications.

3. Open the Provisioning tab.

You can see the To App and To Okta tabs along with the Integration tab.

4. Open the To App tab.

You can configure what is to be copied from Okta to the QMetry app integration.

5. Click Edit to change configuration settings.

Open

6. Select the required provisioning to the app.

• Create Users: Creates or links a user in the app integration (e.g., QTM App SCIM) when assigning the app to a user in Okta. It assigns a new external application account to each user managed by Okta. Okta sends a random password in its request to create a user.

• Update User Attributes: Okta updates a user's attributes in the integrated app (e.g., QTM App SCIM) when the app is assigned. Any attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in the integrated app (e.g., QTM App SCIM).

• Deactivate User: Deactivates user accounts when the users are unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.

7. Click Save.

Open

The mappings are enabled.

Step 6. License Type Mapping - as Custom Attribute

In Okta, the "Directory" refers to the user profile attributes stored within the Okta platform. The "Profile Editor" allows you to customize these attributes and their mappings. You can tailor user attributes to meet the specific requirements of your organization for seamless integration and data synchronization.

We need to add a custom attribute “QMetry_User_LicenseType” for license type mapping regular and read only.

Steps to perform attribute mapping in the Directory > Profile Editor are mentioned below.

Steps

1. Log in to your Okta Admin account.

2. Go to Directory and select Profile Editor.

3. Open the default Okta profile by clicking on it.

Open

4. Add a new custom attribute or edit an existing custom attribute “QMetry_User_LicenseType” for license type mapping regular and read only.

Open

5. After adding the values, save the attribute.

If the Attribute required parameter is marked as "Yes", the first value will be used as default when people are added to Okta.

Open

6. Now go back to Profiles.

7. Open the QTM application by clicking on it.

Open

8. Add a new custom attribute or edit an existing custom attribute “QMetry_User_LicenseType” for license type mapping regular and read only.

9. After adding the values, save the attribute.

• External namespace: While adding an attribute, enter urn:ietf:params:scim:schemas:core:2.0:User as External namespace. The external namespace is used to refer to the namespace in the external system. It allows you to use additional or custom user attributes beyond what is provided by default in SCIM.

Open

10. Go back to the Profile.

11. Click Mappings for the user profile.

Open

12. Select Okta User to {QTM App} tab for mapping the user profile.

13. Click on the Save Mappings button to save the user profile mapping between the apps.

Open

Step 7. Refresh App Groups

The Refresh App Groups option allows you to manually trigger a refresh of the groups from the external application. This action pulls the latest group information (including group names and memberships) from the QTM application into Okta.

Steps

1. Open the Push Groups tab.

2. Click on the Refresh App Groups button. It will bring groups created in the QMetry application into Okta.

It will sync the groups.

Open

The App group import starts.

You can verify Groups under Directory > Groups.

The screen displays Okta groups and App groups. The icon is the differentiator between groups created in QMetry and groups created in Okta.

Groups with the Okta icon are created in Okta, whereas Groups without the Okta icon are created in App.

You can also apply filters on Okta groups and App groups.

Once the QTM app is configured with Okta, all roles or user groups in QMetry will be synced in Okta using the following syntax:

Syntax of Group: QMetry_{ProjectName}_{RoleName}

Example: QMetry_QTM_Tester

This group's membership cannot be modified because the group is managed automatically by Okta.

Step 8. Create a New Group in Okta

You need to create a Group in Okta for the QMetry project and role mapping.

Steps

1. Go to Directory > Groups.

2. Click on the Add Group button.

3. Enter the Name of the group. The following is the syntax of the Group Name:

QMetry_{ProjectKey}_{Role}

4. Click Save.

Open

The Group is added to the list.

Open

Step 9. Assign an App Integration to a Group

When app integrations belong to the same group, they are considered "linked." This feature can be particularly useful when there's a need to incorporate provisioning functionality within an SSO-enabled app integration.

Steps

1. In the Admin Console, go to Applications > Applications.

2. Locate the app integration on the list. You can search for the app integration using the Search field if the list is long.

3. Open the app integration once you locate it.

Open

4. Open the Assignments tab.

5. Click Assign and select Assign to Groups.

Open

6. Locate the group to which you want to assign the app integration and click Assign.

Open

Verify the attributes set on the Assign <application name> to Groups dialog.

7. Click Save and Go Back.

Open

The Assign button transforms into "Assignment" and becomes disabled, signifying that the app integration has been assigned to the group.

8. Click Done.

The app integration is assigned to the group, and subsequently, it is also assigned to each user within that group. Each user's assignment type for the app integration is categorized as Group, and this information can be accessed from the Assignments tab of the integration.

9. Open the Groups tab.

You can see the assignment for the group.

Open

Step 10. Push Groups

You can set up group push in SCIM from Okta to the QTM application, which allows automated management of group memberships across Okta and QTM.

Once SCIM is enabled for your Okta organization and you have configured the SCIM app for the QTM application, you can then configure Group Push.

In Okta, configure group push settings for the SCIM app associated with the QTM application. This involves specifying which groups should be pushed to the application and mapping Okta group attributes to corresponding attributes in the QTM application.

Steps

1. Open the Push Groups tab for the app.

2. Open the Push Groups drop-down and select Find groups by name.

Open

3. Search the group name.

The relevant names will prompt. Select the applicable one.

4. Select Push group memberships immediately.

5. Click Save.

You can see the group created in Okta.

• Match result & push action: Select Link Group under this section. If a match is found in the QTM Role, it will get linked to the group.

6. Click Save to save the settings.

Open

The group gets linked automatically.

Open

Step 11. Assign People to a Group

You can assign people to a group in Okta, which allows you to manage access permissions and group-based policies effectively within your organization.

Steps

1. Log into Okta with an Admin account.

2. Go to Directory > Groups.

3. Locate the group on the list. Search the group name using Search if the list is long. You can also use the Advanced Search.

4. Open the group by clicking on it.

Open

5. Click on the Assign people button to assign the person to the group.

Open

6. Click on the “+” icon to add people to the group.

Open

The user is assigned to the group. Once you assign people to the group, their status will show “Assigned”.

7. Click Done to return to the People tab.

Open

You can verify the people assignment in the group from the Assignments tab > People section.

Step 12. Verify Users in QMetry

Once a group is assigned to a user in Okta, based on the Project Name and Role Name mentioned in the group name, users will be created and assigned in the QTM instance.

• Users are created in QTM with their attributes of username, alias, first name, last name, and email.

• Users with the “QMetry” Authentication type receive an email with the username and temporary password to log in to QMetry. Users can then reset their password.

• When the users in Okta don’t have any groups or the group is not pushed in Okta, on assigning the Okta application to these users will create a user in QMetry without having any projects assigned to them.

• As a best practice, the default project and role must be switched off while SCIM is enabled.

• Only the Super Administrator can create, delete, update user details, assign a project, unassign a project, activate or deactivate users, and delete users.

In the QTM instance, you can see the users are added to Customization > Users.

Open

Users are also assigned to the project with the role.

Go to Projects > Project / Release / Cycle.

Open the Users tab.

Open

If a user is inactivated/removed from Okta, the Status appears as “Inactive” if the user does not have any other projects assigned to them.

Open

View Audit Logs

Audit logs are captured for all the operations like enabling or disabling SCIM settings, project assignments, user creation, user deactivation, and user updates done for SCIM.

Go to Integration > SCIM to view the audit logs.

To export the logs into Excel, click on the Export button.

Open

You can download the logs from the Scheduled Task section.

Open

Scenarios when SCIM is Enabled in Okta for QTM Instance

The following are some use cases when SCIM is enabled for the QMetry project.

(A) In QMetry, these user details can be updated Username, Alias, First Name, Last Name, and Email.

(B) Update Project Assignments for users:

1. Go to Okta > Directory > Group.

2. Open the People tab.

3. Remove the user from the existing Group.

4. Push Group.

(C) How will the user get deactivated?

→ From Okta > Application > Assignments > People

1. Go to Okta > Applications > Applications.

2. Open the Application.

3. Open the Assignments tab > select the People section.

4. From the list of users, remove the user that you want to deactivate.

→ From Okta > Directory > People

1. Go to Okta > Directory.

2. Select the People section.

3. Open More actions drop-down and select Deactivate.

4. Select the user(s) you want to deactivate and click on the Deactivate Selected button.

(D) What operations will be prohibited from QMetry for other users (i.e., users other than Super Admin)?

• Any other user, regardless of their role or permissions, will be unable to create, update users, or assign/unassign users to projects.

• Users can not edit self-details of Username, First Name, Last Name, and Email.

• In Project, the Add new LDAP/SAML users to this Project option will be disabled.

• Users can not activate or deactivate other users.

• Other users cannot do User Role Assignment and cannot edit Role Title

• The Authentication Type cannot be changed.

• The Make this the default role for new LDAP/SAML users option will be disabled.

 (E) When a new project or new role is created, sync the newly created project or role.

1. Go to Okta > Applications > Applications.

2. Open the Push Groups tab and click on the Refresh App Groups button.

(F) How to sync a non-synced user?

1. Go to Okta > Applications > Applications.

2. Open the Assignments tab.

3. Click on the Provision User button to sync non-synced users.

Scenarios when SCIM is disabled in Okta for the QTM instance

• The User Provisioning and Deprovisioning will be stopped via SCIM.

• User management in QMetry will need to be done manually.