Authentication

Authentication settings let Tenant Admins manage how their workspace handles sign-in, including optional SSO via OIDC.

Sign-in is now passwordless TestOrchestrator no longer uses passwords. Everyone signs in with an email magic link / one-time code, or with Google or GitHub — see Log In. As a result, the Internal Login and Password Policy controls below govern a password-based login method that is no longer presented to users. They remain in the admin UI but do not affect how people sign in today. Workspace SSO (External Providers) is unaffected.

Who can manage these settings?

The Authentication page is only accessible to Tenant Admins. Project Admins and Regular Users cannot view or change authentication settings.

Two tabs

Authentication settings are split into two tabs in Admin → Authentication:

  • Internal — Legacy email/password login rules (lockout, remember login, password reset) and the Password Policy (length, character requirements). These controls are retained in the UI but no longer govern how users sign in, because password login has been replaced by passwordless sign-in.
  • External — OIDC/SSO providers. Configure Google, Microsoft, or any generic OIDC identity provider as a workspace single sign-on method.