SSO with Cover Reports
Last updated
Was this helpful?
Last updated
Was this helpful?
SSO authentication is only provided by using the and protocols and connecting to an external SSO provider.
Currently, the supported providers are:
Other providers that use the same protocols are likely to work with similar configuration, but have not been tested by Diffblue.
A server running Cover Reports.
An SSO provider.
Cover Reports uses the flow.
When a user navigates to the Reports UI, they are redirected to the SSO provider which presents a login screen. The user enters their credentials and will be authenticated by the SSO provider. If successful, the user will be redirected back to the Reports home page.
To integrate Cover Reports with an SSO provider:
The SSO provider must be configured with details of Cover Reports
Cover Reports must be configured with details of the SSO provider
However, it should be sufficient to note that the following properties must be set:
A client secret must be used to authenticate Cover Reports to this new client
The authorization code grant type must be used
The scope must be openid
Add oauth2 to the active profile list - this enables SSO in Cover Reports
SSO client ID
SSO client secret
Type of authorization grant; must be authorization_code
Scope of user account accessible by Cover Reports; must be openid
URL of Cover Reports where the SSO will redirect the user after successful login
URL of the SSO provider that Cover Reports will use
The names of most of these properties depend on the SSO provider.
spring.profiles.active
Specifies a comma separated list of profiles
postgres,oauth2
spring.security.oauth2.client.registration.ping.provider
Name of spring.security.oauth2.client.provider
ping-provider
spring.security.oauth2.client.registration.ping.client-id
ID of SSO client
diffblue-cover-reports
spring.security.oauth2.client.registration.ping.client-secret
Secret of SSO client
some-secret-key
spring.security.oauth2.client.registration.ping.authorization-grant-type
Type of authorization grant. Must be authorization_code
authorization_code
spring.security.oauth2.client.registration.ping.scope
Scope of user account accessible by Cover Reports. Must be openid
openid
spring.security.oauth2.client.registration.ping.redirect-uri
URL of Cover Reports where the SSO will redirect the user after successful login
spring.security.oauth2.client.provider.ping-provider.issuer-uri
URL of the SSO provider that Cover Reports will use
spring.security.oauth2.client.registration.keycloak.provider
Name of spring.security.oauth2.client.provider
keycloak-provider
spring.security.oauth2.client.registration.keycloak.client-id
ID of SSO client
diffblue-cover-reports
spring.security.oauth2.client.registration.keycloak.client-secret
Secret of SSO client
some-secret-key
spring.security.oauth2.client.registration.keycloak.authorization-grant-type
Type of authorization grant. Must be authorization_code
authorization_code
spring.security.oauth2.client.registration.keycloak.scope
Scope of user account accessible by Cover Reports. Must be openid
openid
spring.security.oauth2.client.registration.keycloak.redirect-uri
URL of Cover Reports where the SSO will redirect the user after successful login
spring.security.oauth2.client.provider.keycloak-provider.issuer-uri
URL of the SSO provider that Cover Reports will use
To simplify this configuration, there are pre-configurations (or profiles) supplied in Cover Reports for the supported SSO providers. These provide default values for the required properties.
The profiles are:
ping - for the PingIdentity provider
keycloak - for the Keycloak provider
To specify the profile, the profile name must be appended to the end of the spring.profiles.active property.
For example, to enable SSO with the PingIdentity provider, the properties could be reduced to:
Authorization is managed by adding roles to users. This must be done within the SSO provider. The roles of each user must be set in the claims of the user details. Cover Reports will retrieve the user details from the SSO provider after a successful login and extract the roles from the claims.
The default name of the claim is cover-reports-roles which should contain a list of all the roles the user has.
This name can be customised by setting the reports.roles.claimNameWithRoles property, but it must align with that set in the SSO provider.
The roles in Cover Reports are:
USER
a standard user
view all information
ADMIN
a privileged user
view all information; Delete runs; Access the administration page to perform administrative tasks
The names of these roles can be customised by setting the reports.roles.userName and reports.roles.adminName properties respectively.
reports.roles.claimNameWithRoles
Name of the claim in user details that has a list of roles
cover-reports-roles
reports.roles.userName
Name of the standard user role
USER
reports.roles.adminName
Name of the administrator role
ADMIN
Currently, there is no logout function in Cover Reports. This reflects the notion that a user with SSO would not want to logout of SSO from Cover Reports.
Cover Reports creates its own user session once a user has authenticated with the SSO provider. The session will remain active while the user interacts with the Cover Reports UI and is ended by inactivity. Note that the SSO provider cannot invalidate an active Cover Reports session.
Uploading information to Cover Reports works in the same way regardless of whether SSO is enabled or not.
Since the flow is a standard mechanism, it should be possible to configure any SSO provider in this way. However, each provider has a very different configuration; it is not within the scope of this document to describe it.
A new client must be created that has the ID: diffblue-cover-reports. This can be changed if necessary by specifying a property in the
A redirect URL must be set that matches the Cover Reports installation, e.g.
Once the SSO provider has been configured, there are several properties that must be set in Cover Reports :
User authentication is performed by configuring Diffblue Cover CLI and Cover Reports as .