Hi,
We’re using a bit of cloud-based TestRail. However, the security implications of everybody managing their own password is not all that appealing.
Nowadays, providing SSO-integration to a customer-specific SAML identity provider is fairly easy, and fairly common.
What are your thoughts on this matter? Is this something you intend to provide, and is there a timeline for it?
Hi!
Yes, there are already plans for this and this is on our to-do list. We already have some password related features and you can configure a password policy, for example (Administration > Site Settings > Security). We don’t currently have an estimate but things like SSO and two-factor authentication are on our list and it’s planned to look into this, happy to add another vote to this feature request.
Cheers,
Tobias
Yes, please add my vote for this!
(We will never give a corporate approval to any cloud system that does not support SSO with our primary user directory, but instead requires users to manage their own username and passwords, etc. Without such approval, all use and selection will be driven by individual projects, and we will have a little of everything.)
Hello Elygre,
Thanks for the feedback. Please note that TestRail includes strong enterprise-grade security and password policy settings, so you can already accomplish the same in TestRail (e.g. see Administration > Site Settings > Security). So you definitely don’t have to rely on your users to choose strong passwords, TestRail allows you to enforce this. This is also why TestRail is being used by many of the largest enterprise companies:
http://www.gurock.com/testrail/customers/
As Tobias mentioned, SAML support is certainly already on our feature request list and we definitely agree that this would be useful to have! If you require Active Directory or other SSO integration in the meantime, you would also already be able to use this with our TestRail Server edition:
http://docs.gurock.com/testrail-integration/auth-introduction
I hope this helps!
I appreciate that you guys have SAML on your feature list.
The problem is not the password strength; the problem is the number of passwords, as well as the management of them. When I mentioned “password policy”, this is not about the number and type of characters, but about the idea that any user should only have one password, that we are able to enfore password change, that we can manage user lifetimes, etc.
Another issue is the reuse of passwords. (See for example https://www.troyhunt.com/science-of-password-selection/: “What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password”)
As a service provider, you should appreciate the reduced liability that comes with not managing passwords. If you were to lose your password database (like linkedin and many others), you will quickly come to appreciate how much better life would have been if this was handled by the customers themselves.
For inspiration, you could take a look at what talentlms is doing. Also PHP-based, they have an entirely self-service SAML setup which works nicely.
Hello Elygre,
Thanks for the feedback! I understand that users often reuse passwords and this is of course a bad idea. On the other hand having a single service to rely on for all your services can also be problematic if that service has a breach (and e.g. has no 2 factor authentication). And we would depend on the external services our customers use then. For best security it’s usually recommend to use unique, strong passwords for each service. But I understand that this can be difficult to enforce with all users, and SAML support is definitely something we will review eventually, and 2 factor authentication as a built-in feature is also on our review list.
Thanks again!
Hi @elygre,
We currently don’t have an update on this feature request but it’s still planned to look into this. Happy to add another vote, thanks for your feedback!
Cheers,
Tobias
Any progress on this? Perhaps you are doing oauth instead?
Or do you still think that the community is best served by you guys managing passwords?
Hi,
Thank you for the post. We are still working on implementing in an upcoming release of TestRail. I would recommend keeping an eye on our forums as well as our blog which you can find here: https://blog.gurock.com/tag/testrail-release/
In the mean time I would be happy to add another vote for you.
Hi Volodymyr,
Thanks for your posting. SSO is still on our list of things to look into but we currently can’t say if or when this will be available. Most features we add to TestRail are directly based on customer feedback so your feedback is really appreciated.
Cheers,
Tobias
Is there any progress on this what so ever. looking at the forums the request for SSO is going on 3 years now???
As it turns out Jira side integration works better than test rail integration. So we have one way SSO from Jira to test rail but not back.
You say update are based on customer feed back but is it really??
Hi,
Please add a vote for SAML authentication support. This is an important feature for our implementation of TestRail.
Timeline for this is important as we are currently implementing SSO for all our project tools.
– Martin.
Hi all,
This feature is very important for us as well based on our internal security policies. Could you give me an ETA on this?
Please add a vote for us as well.
Thank you,
Nagy