BrowserStack user provisioning with OneLogin
Connect your OneLogin IdP with BrowserStack.
OneLogin’s integration with BrowserStack enables end-users to enable Single Sign-on and Auto User Provisioning for their BrowserStack account. This document describes how to configure auto User Provisioning when OneLogin is your identity provider.
Prerequisites
- Enterprise plan on BrowserStack.
- You need to have administrator access to your organization’s OneLogin instance.
- Your OneLogin SSO needs to be enabled before User Provisioning. Follow the instructions given here to set up SSO with OneLogin.
- User with Owner permissions can setup user provisioning on BrowserStack.
Supported features
The OneLogin & BrowserStack User Provisioning integration is configurable on BrowserStack, currently supports the following features:
- User provisioning & de-provisioning
- Attribute assignment for users on BrowserStack:
- Role assignment
- Product access
- Team assignment
- Group assignment via OneLogin’s application assignment to “OneLogin roles”
Configuring for user provisioning
-
Log-in to BrowserStack as Owner.
-
Go to Account > Security and select Authentication from the side-nav menu.
-
Under Auto User Provisioning, select Configure.
-
Select the user attributes that you want to control via IDP
-
Copy the Access Key only, it will be used on OneLogin for authentication
- If you set up SSO before setting up User Provisioning, you already have the BrowserStack app added on OneLogin, skip this step. Otherwise
- Go to Applications
- Click Add App, and find the BrowserStack app under Add Application on OneLogin
- Add it to your OneLogin tenant, give it an identifiable name under “Display Name” and clicking Save
- Head to BrowserStack App on OneLogin, and go to the Configuration tab.
- You should have SSO configured via this tab already, if not, use this link to set it up.
- Add the Access Key from BrowserStack in the SCIM Bearer Token field on OneLogin.
- Click Enable, OneLogin will give a green Enabled text confirmation
- Head to Provisioning, to start pushing users to BrowserStack
- Make sure that the following are selected:
- Create user
- Delete user
- Update user
- Select Delete as the action for when users are deleted on OneLogin.
- Select Do Nothing as the action for when users are suspended on OneLogin. (Suspension is not supported on BrowserStack.)
- Make sure that the following are selected:
-
Go to Parameters, and click on SCIM username under Required Parameters. Set the value to Email.
-
Save the current state. We will enable Provisioning on BrowserStack before coming back and enabling it on OneLogin. You can enable it via the provisioning tab at this step, but the users will not be pushed into BrowserStack till we enable it on BrowserStack.
- On BrowserStack, enable Auto User Provisioning once you have set it up on OneLogin, otherwise, you will be locked out of inviting new users via BrowserStack UI.
Managing users via OneLogin application
Depending on the configuration that you select while setting up Auto User Provisioning on BrowserStack. You will need to create the appropriate Custom User Fields and assign in the Parameters tab.
Ensure that you check the box next to Include in User Provisioning.
Provisioning & Deprovisioning users
- By assigning the app to the user, the user will get provisioned on the BrowserStack platform.
- You can remove a user and his/her access by removing the user from the app.
- You cannot delete the current Owner from OneLogin. Assign Owner role to another user, before deleting the current Owner.
- Updating the owner will log out the current owner as well as the old owner from their current session for security reasons.
Role assignment
- Attribute Name: primary_role
- External Name: bstack_role
- Default assignment as User, in case of
- Unexpected, empty or no value
- Attribute controlled by BrowserStack UI
- Expected values when attribute controlled by OneLogin:
Attribute Value | Role Update |
---|---|
User | User will be assigned |
Admin | Admin will be assigned |
Owner | Owner will be assigned The current owner will be replaced with the new owner. The current owner will become a user. |
No Value Empty or Any other value |
The user is created as User by default. |
Team assignment
- Attribute Name: primary_team
- External Name: bstack_team
- Default assignment as Group User, in case of
- Empty or no value
- Attribute controlled by BrowserStack UI
- Expected values when attribute controlled by OneLogin:
Attribute Value | Team Update |
---|---|
team_name | The user gets added to the existing team if a team exists with the same name. Otherwise, a new team will be created with the passed attribute value. |
No value/Empty | The user is assigned as part of Group |
Product assignment
- Attribute Name: primary_product
- External Name: bstack_product
- Default assignment no product access, in case of
- Unexpected, empty or no value
- Attribute controlled by BrowserStack UI
- Expected values when attribute controlled by OneLogin:
Attribute Value | Product Update |
---|---|
Browser-Testing | Live Automate |
Visual-Testing | Percy |
Automate-Testing | Automate |
Live-Testing | Live |
Mobile-App-Testing | App Live App Automate |
App-Automate-Testing | App Automate |
App-Live-Testing | App Live |
App-Percy | App-Percy |
Accessibility-Testing | Accesssibility Testing |
Test-Management | Test Management |
Test-Observability | Test Observability |
- You can pass multiple values for product access in a comma-separated string. Example:
Browser-Testing,Visual-Testing
- If product access is controlled through IDP, you can update product roles as part of the product access attributes. For example:
Percy: Product Admin, Test-Management: Product User
.
Troubleshooting
Below is a list of possible errors that might be encountered and how to resolve them:
User already present on BrowserStack
Resolution: User already presents on BrowserStack under a different organization, please get the account deleted before provisioning the user.
Invalid parameter/attribute values passed for Role or Product
Resolution: Role/Product is not a valid use-case, please use the attribute values provided above.
Owner deletion
Incompatible attributes
Resolution: You are assigning incompatible user attributes, for example Owner cannot have a team assigned.
Licenses unavailability
Resolution: You have used up all your licenses for the product, please unassign users or add more licenses. Contact your Account Executive to get information on adding licenses.
Escalation/Support
Contact us for any escalations or support.
We're sorry to hear that. Please share your feedback so we can do better
Contact our Support team for immediate help while we work on improving our docs.
We're continuously improving our docs. We'd love to know what you liked
We're sorry to hear that. Please share your feedback so we can do better
Contact our Support team for immediate help while we work on improving our docs.
We're continuously improving our docs. We'd love to know what you liked
Thank you for your valuable feedback!