BrowserStack user provisioning with Okta

Connect your Okta IdP with BrowserStack

Introduction

Okta’s integration with BrowserStack enables end-users to enable Single Sign-on and Auto User Provisioning for their BrowserStack account. This document describes how to configure auto User Provisioning when Okta is your identity provider.

Prerequisites

  • Enterprise plan on BrowserStack.
  • A user account in BrowserStack with Owner permissions. However, if needed Owner can also allow the setup access to one of the Admin from Settings & Permissions -> Permissions -> Authentication & Security Settings.
  • Administrator access to your organization’s Okta instance.
  • Single Sign-on integration with BrowserStack (mandatory).

Supported features

Okta & BrowserStack user provisioning integration currently supports the following features:

  • User provisioning & de-provisioning
  • Attribute assignment for users on BrowserStack:
    • Role assignment
    • Product access
    • Team assignment

For more information on the listed features, visit the Okta Glossary.

Configuring for user provisioning

  1. Log in to BrowserStack as a user with Owner permissions.

  2. Go to Account -> Settings & Permissions. Select the Security tab.

  3. Under Auto User Provisioning, click Configure. Auto User Provisioning - Configure via SCIM

  4. Select the user attributes that you want to control from Okta and click Confirm. Select attributes to be controlled via Okta

  5. Copy the credentials, will be used on Okta for authentication. Copy the credentials, will be used on Okta for authentication

  6. If you had already set up Signle Sign-On before setting up user provisioning, then you already have the BrowserStack application added on Okta. You can skip this step in that case, else:
    • Find BrowserStack application under Applications on Okta
    • Add it to your Okta tenant Find browserStack app under applications on okta and add it to your okta tenant
    • Add Application label and click Done.
  7. Go to BrowserStack application on Okta -> Click Provisioning tab.

  8. Click Configure API Integration. Click provisioning tab

  9. Click Edit. Check Enable API Integration and fill the following details:
    • User name
    • Access Keys Username and access key input inside API integration configuration
  10. Click Test API Credentials and upon successful test click Save. Okta auto provisioning success

  11. Go back to BrowserStack Settings & Permissions and click Done on the Configuration page.

  12. On Okta, click To App (on the left-hand menu) tab under Provisioning. Click Edit.
    • Check the following settings - Create Users, Update User Attributes, Deactivate Users.
    • Click Save. To App tab
  13. Once you have completed the above steps, on Browserstack, click Enable to enable user provisioning. If you don’t enable it, you will be locked out of inviting new users via BrowserStack UI. Enable auto user provisioning

Managing users from app on Okta

Once auto user provisioning is enabled, the user list will be controlled and managed from the Okta IdP.

Provisioning & de-provisioning users

  1. For your existing users on BrowserStack, we would suggest that as a first step, assign all these users to the BrowserStack application (via the Assignments tab) in Okta. This would avoid any discrepancies between the user list on Browserstack and Okta.
    • By assigning user(s) to the application, they will get provisioned on BrowserStack.
    • Users will be logged out of the BrowserStack, and will be redirected to log-in via SSO. Auto User Provisioning configuration
  2. To add new users on BrowserStack, add these users in your Okta IdP and assign them to BrowserStack application via the Assignments tab. Invite modal will no longer be visible in the BrowserStack Account page anymore. If there were any existing invites already sent (before user provisioning was enabled), those invites will become invalid.

  3. Any user can be removed from BrowserStack or their access by revoked by removing the user from the BrowserStack application on Okta.
Note: You cannot delete the current Owner from Okta. Assign Owner role to another user, before deleting the current Owner. Updating the owner will log out the current owner as well as the old owner from their current session for security reasons

BrowserStack attributes mapping

Go to Provisioning tab on Okta. Under BrowserStack Attributes Mapping section the attributes list is visible as shown: Browserstack attribute mapping

Details about BrowserStack attributes and supported values for each of them:

BrowserStack attribute: primary_role

  1. Default role assigned is User. This is possible in two scenarios:
    • Unexpected, empty or no value specified
    • Role attribute is controlled from Account section
  2. Supported attribute values (when attribute controlled from Okta):
Values Description
User User role will be assigned
Admin Admin role will be assigned
Owner New Owner will be assigned and the current/old owner will be replaced with the new owner. The current/old owner will become an admin.
No Value
Empty or Any other value
The user is created as User by default.

You can choose the value you want to map for the primary_role attribute. For example:

Browserstack role attribute mapping

BrowserStack attribute: primary_team

  1. By default a user is added to Group/Organization on BrowserStack. This is possible in two scenarios:
    • Empty or no value specified
    • Team attribute controlled from Account section
  2. Supported attribute values (when attribute controlled from Okta):
Values Description
Example: Web_Testing User will get added to an existing team (if a team exists with this name). If the team does not exist, a new team will be created with the passed attribute value.
No value/Empty User will be assigned as part of organization (instead of any team).

You can choose the value you want to map for the primary_team attribute. For example: Browserstack role attribute mapping

BrowserStack attribute: primary_product

  1. By default, no product access is assigned. This is possible in two scenarios:
    • Unexpected, empty or no value specified
    • Product attribute is controlled from Account section
  2. Supported attribute values (when attribute controlled from Okta):
Attribute Value Product access assigned
Browser-Testing Live
Automate
Visual-Testing Percy
Automate-Testing Automate
Live-Testing Live
Mobile-App-Testing App Live
App Automate
App-Automate-Testing App Automate
App-Live-Testing App Live
Note: Multiple values can be passed for product access in a comma-separated string. Example: Browser-Testing,Visual-Testing

You can choose the value you want to map for the primary_product attribute. For example:

Browserstack role attribute mapping

Migration Steps

If you are already using an older version of the BrowserStack application on Okta, you can use the following steps to migrate to the new application.

BrowserStack has recently been updated to provide a better overall experience to Okta customers. Here is a summary of the changes:

  • Control User provisioning and de-provisioning via Okta
  • Configure control of User role, product access, and team via Browserstack’s Okta application
  • Okta-group based user management has been introduced in the new application

To take advantage of these updates, you have to add a new instance of Browserstack in your Okta org. If you already have an existing instance of Browserstack, follow the steps below to migrate from that old instance to a newly updated instance of :

  1. Log in to your Okta org as an Admin.

  2. Open the Admin UI.

  3. Click on Add Applications Find browserStack app under applications on okta and add it to your okta tenant

  4. Add a new instance of BrowserStack BrowserStack Application page on Octa

  5. Configure the Single Sign-On and Auto user provisioning, as per respective documentations:
  6. After SCIM Provisioning has been enabled, go to the Import tab of your new Browserstack app instance. Select the old app as the source, and click Import Now. After SCIM Provisioning, go to import tab, select old app as source and click import now

  7. After the users have been downloaded from the old version of the Browserstack application, select the users you want to be created or linked in Okta, and then click on Confirm Assignments.

  8. A pop-up will appear asking if you would like to proceed with the assignment confirmation. Click Confirm.

  9. Users assigned on the old Browserstack application have been imported into the new app.
Note:
  1. Once you have enabled the User Provisioning on the new Browserstack App, make sure that you disable User Provisioning from the old version of the Browserstack App. This is to ensure that you do not face any provisioning issues. We would suggest deactivating the old version once you have set up SSO and User Provisioning via the new application.
  2. If you were using SAML as the sign-on mode for your old Browserstack app instance, you will need to set up SAML on your new Browserstack app instance in Okta (recommended). If you do not, you would need to maintain the old Browserstack app instance to ensure that the SAML functionality continues to work.

Troubleshooting

Below is a list of possible errors that might be encountered and how to resolve them:

Email already part of a different organization account on BrowserStack.

Resolution: User is already present on BrowserStack under a different organization, please reach out to BrowserStack support to get that account deleted before provisioning the user to your current organization account. Auto User Provisioning - User already present

Invalid Parameter Or Attribute

Resolution: Role/Product is not a valid use-case, please use the attribute values provided above. Showing Invalid Parameter Role or Product is not a valid use-case

Owner Deletion

Resolution: Assign ownership to a different user before deletion of this user. Owner cannot be deleted, BrowserStack account needs a user to have Owner role assigned. Owner cannot be deleted error

Incompatible Attributes

Resolution: You are assigning incompatible user attributes, for example Owner cannot have a team assigned.

Licenses Not Available

Resolution: You have used up all your licenses for the product, please unassign users or add more licenses. Contact your Account Executive to get information on adding licenses. Error when the user doesn't have enough licenses for Browser-Testing or the user was not provisioned or updated in the organization

Note: When a user is deactivated on Okta, the said user will be deleted from your BrowserStack account. Whenever the user is activated, a new user will be created on BrowserStack. This would lead to a new id being created.

Escalation/Support

Please connect with support@browserstack.com for any escalations or support.

We're sorry to hear that. Please share your feedback so we can do better







Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked






Thank you for your valuable feedback

Is this page helping you?

Yes
No

We're sorry to hear that. Please share your feedback so we can do better







Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked






Thank you for your valuable feedback!

Talk to an Expert
Talk to an Expert