Skip to main content

Single Sign-On (SSO)

Enable SSO so users can sign in with your identity provider (IdP) and so you can enforce corporate policies like MFA.

Supported providers

TestFish supports SAML providers including Okta, Microsoft Azure AD, Google Workspace, Auth0, and OneLogin.

Configuration steps

  1. Navigate to Configuration → SSO.
  2. Click Add provider and choose SAML or OIDC.
  3. Provide the required metadata:
    • SAML – IdP SSO URL, SLO URL (optional), entity ID, certificate, and metadata URL (if available).
    • OIDC – Issuer URL, client ID, client secret, scopes, and discovery document.
  4. Define additional settings:
    • Provider name – Displayed on the login page.
    • Email domains – Restrict who can use the provider.
    • Enforce SSO – Require all users to sign in via the provider (owners/admins keep a recovery backdoor unless disabled).
    • Auto-provision – Automatically create users when they authenticate successfully.
  5. Test the connection. TestFish records diagnostics and shows whether certificates are valid.
  6. Save the configuration; TestFish reloads authentication middleware so the provider is immediately available.

Maintenance

  • Metadata refresh – If your IdP rotates certificates, use the Refresh metadata button or re-upload the new cert.
  • Certificate monitoring – TestFish highlights certificates that are expiring soon.
  • Audit logs – Every SSO login attempt and configuration change is captured for compliance.

Tips

  • Keep at least one owner account with password login for emergency access.
  • Use auto-provisioning plus groups to assign default access levels when new users join.
  • Coordinate with your security team to rotate secrets on a schedule.