BrowserStack SSO with OneLogin | SAML

Integrate your OneLogin directory with BrowserStack to set up Single Sign-On.

Single Sign-on integrates an external user directory with your BrowserStack Group. This document describes how to configure Single Sign-on when OneLogin is your identity provider.

Prerequisites

To set-up and use OneLogin & BrowserStack Single Sign-on (SSO) feature:

• You need to have an Enterprise plan with BrowserStack.
• You need to have administrator access on your organization’s Okta instance.
• By default, a user account with Owner permissions can setup SSO on BrowserStack.

Supported features

The OneLogin & BrowserStack Single Sign-on integration currently supports the following features:

Configuration steps

A. SSO setup page

1. Sign-In to BrowserStack account as Owner.

2. Go to Account > Security and select Authentication from the side-nav menu.

B. Initiate the set-up on BrowserStack

1. Under Single Sign On (SSO), click Configure.

2. On the next screen, you will be shown all the Authentication services that BrowserStack supports, select SAML 2.0, and click Next.

3. Choose OneLogin as Identity Providers, and click Next.

4. Copy the IDP initiated the ACS URL

C. Setting Up BrowserStack app on OneLogin

1. Find BrowserStack under Add New Applications

2. Give it a connector name, and save

3. Go to the Configuration tab

4. Paste the IDP initiated the ACS URL in the IdP initiated ACS URL field

5. Save

6. Go to the SSO tab in OneLogin. Copy the following for the next steps on BrowserStack
   a. Copy the SAML 2.0 Endpoint
   b. Copy the SLO Endpoint (HTTP)
   c. Click on View details under X.509 Certificate tag to copy certificate
   

D. Saving your configuration on BrowserStack

1. Paste copied configuration
   a. SAML 2.0 URL in SAML 2.0 Endpoint (HTTP)
   b. SLO Endpoint (HTTP) to SLO Endpoint
   c. Certificate in the Public Certificate field
   d. Click Next

2. Click Next to proceed to the Advanced options section. Here, you will be able to configure your SSO settings as either Required or Optional. This allows you to choose the level of SSO enforcement that suits your organization’s needs.

   • Required (default): Choose this option if you want to ensure that your team members must sign in to BrowserStack using SSO. Their BrowserStack credentials will no longer work. However, owners can still sign in using either of their SSO or BrowserStack credentials.

   • Optional: Opt for this setting if flexibility is your priority. With SSO configured as Optional, your team members can sign in using either their SSO or BrowserStack credentials. Additionally, you can choose to extend this flexbility only to some team members. Simply specify domains of members to exclude from Optional setting and all users from those domains will be required to login using SSO only.

Test and enable

A. Test the integration via Test Setup

1. Click Test Setup to test the integration.

2. You will be prompted towards Service Provider flow and your user will be authenticated via OneLogin. The test is successful upon completion of the SSO Authentication flow.

3. Upon a successful test, you can enable the Single Sign-on feature for your Organization.
   a. You have the option of sending out a mail to all Group members on BrowserStack, to inform them about this change, and link to the new login URL.
   b. Click Enable to enable the feature.

B. Your SSO connection has been enabled

You will automatically be logged out of BrowserStack, and redirected to log-in via SSO.

Troubleshooting

Error while testing (Type 1)

The user saved the configuration of the connection on the other application. Please make sure that the correct configuration is saved on OneLogin app.

User mismatch

User logged in on Onelogin and BrowserStack is different. Please make sure that you are using the same email to login on BrowserStack as well as OneLogin.

Internal error

In case of this error, contact us.

Misconfigured ACS URL