Browserstack Documentation Documentation
Documentation home icon Separator

    BrowserStack user provisioning with Okta

    Connect your Okta IdP with BrowserStack

    Introduction

    Okta’s integration with BrowserStack enables end-users to enable Single Sign-on and Auto User Provisioning for their BrowserStack account. This document describes how to configure auto User Provisioning when Okta is your identity provider.

    Prerequisites

    • Enterprise plan on BrowserStack.
    • Administrator access to your organization’s Okta instance.
    • Single Sign-on integration with BrowserStack (mandatory).
    • User with Owner permissions can setup user provisioning on BrowserStack.
    Note: Owner can also allow user provisioning setup access to one of the Admin(s). Learn more

    Supported features

    Okta & BrowserStack user provisioning integration currently supports the following features:

    • User provisioning & de-provisioning
    • Attribute assignment for users on BrowserStack:
      • Role assignment
      • Product access
      • Team assignment

    For more information on the listed features, visit the Okta Glossary.

    Configuring for user provisioning

    1. Log in to BrowserStack as a user with Owner permissions.

    2. Go to Account > Security and select Authentication from the side-nav menu.

    3. Under Auto User Provisioning, click Configure. Auto User Provisioning - Configure via SCIM

    4. Select the user attributes that you want to control from Okta and click Confirm. Select attributes to be controlled via Okta

    5. Copy the credentials, will be used on Okta for authentication. Copy the credentials, will be used on Okta for authentication

    6. If you had already set up Signle Sign-On before setting up user provisioning, then you already have the BrowserStack application added on Okta. You can skip this step in that case, else:
      • Find BrowserStack application under Applications on Okta
      • Add it to your Okta tenant Find browserStack app under applications on okta and add it to your okta tenant
      • Add Application label and click Done.

    7. Go to BrowserStack application on Okta > Click Provisioning tab.

    8. Click Configure API Integration. Click provisioning tab

    9. Click Edit. Check Enable API Integration and fill the following details:
      • User name
      • Access Keys Username and access key input inside API integration configuration

    10. Click Test API Credentials and upon successful test click Save. Okta auto provisioning success

    11. Go back to BrowserStack’s Auto User Provisioning configuration page and click Done.

    12. On Okta, click To App (on the left-hand menu) tab under Provisioning. Click Edit.
      • Check the following settings - Create Users, Update User Attributes, Deactivate Users.
      • Click Save. To App tab
    13. Once you have completed the above steps, on Browserstack, click Enable to enable user provisioning. If you don’t enable it, you will be locked out of inviting new users via BrowserStack UI. Enable auto user provisioning

    Managing users from app on Okta

    Once auto user provisioning is enabled, the user list will be controlled and managed from the Okta IdP.

    Provisioning & de-provisioning users

    1. For your existing users on BrowserStack, we would suggest that as a first step, assign all these users to the BrowserStack application (via the Assignments tab) in Okta. This would avoid any discrepancies between the user list on Browserstack and Okta.
      • By assigning user(s) to the application, they will get provisioned on BrowserStack.
      • Users will be logged out of the BrowserStack, and will be redirected to log-in via SSO. Auto User Provisioning configuration

    2. To add new users on BrowserStack, add these users in your Okta IdP and assign them to BrowserStack application via the Assignments tab. Invite modal will no longer be visible in the BrowserStack Account page anymore. If there were any existing invites already sent (before user provisioning was enabled), those invites will become invalid.

    3. Any user can be removed from BrowserStack or their access by revoked by removing the user from the BrowserStack application on Okta.
    Note: You cannot delete the current Owner from Okta. Assign Owner role to another user, before deleting the current Owner. Updating the owner will log out the current owner as well as the old owner from their current session for security reasons

    BrowserStack attributes mapping

    Go to Provisioning tab on Okta. Under BrowserStack Attributes Mapping section the attributes list is visible as shown: Browserstack attribute mapping

    Details about BrowserStack attributes and supported values for each of them:

    BrowserStack attribute: primary_role

    1. Default role assigned is User. This is possible in two scenarios:
      • Unexpected, empty or no value specified
      • Role attribute is controlled from Account section
    2. Supported attribute values (when attribute controlled from Okta):
    Values Description
    User User role will be assigned
    Admin Admin role will be assigned
    Owner New Owner will be assigned and the current/old owner will be replaced with the new owner. The current/old owner will become an admin.
    No Value
    Empty or Any other value    		 The user is created as User by default.

    You can choose the value you want to map for the primary_role attribute. For example:

    Browserstack role attribute mapping

    BrowserStack attribute: primary_team

    1. By default a user is added to Group/Organization on BrowserStack. This is possible in two scenarios:
      • Empty or no value specified
      • Team attribute controlled from Account section
    2. Supported attribute values (when attribute controlled from Okta):
    Values Description
    Example: Web_Testing User will get added to an existing team (if a team exists with this name). If the team does not exist, a new team will be created with the passed attribute value.
    No value/Empty User will be assigned as part of organization (instead of any team).

    You can choose the value you want to map for the primary_team attribute. For example: Browserstack role attribute mapping

    BrowserStack attribute: primary_product

    1. By default, no product access is assigned. This is possible in two scenarios:
      • Unexpected, empty or no value specified
      • Product attribute is controlled from Account section
    2. Supported attribute values (when attribute controlled from Okta):
    Attribute Value Product access assigned
    Browser-Testing Live
    Automate
    Visual-Testing Percy
    Automate-Testing Automate
    Live-Testing Live
    Mobile-App-Testing App Live
    App Automate
    App-Automate-Testing App Automate
    App-Live-Testing App Live
    App-Percy App-Percy
    Accessibility-Testing Accesssibility Testing
    Test-Management Test Management
    Test-Observability Test Observability
    Note: Multiple values can be passed for product access in a comma-separated string. Example: Browser-Testing,Visual-Testing

    You can choose the value you want to map for the primary_product attribute. For example:

    Browserstack role attribute mapping

    Migration Steps

    If you are already using an older version of the BrowserStack application on Okta, you can use the following steps to migrate to the new application.

    BrowserStack has recently been updated to provide a better overall experience to Okta customers. Here is a summary of the changes:

    • Control User provisioning and de-provisioning via Okta
    • Configure control of User role, product access, and team via Browserstack’s Okta application
    • Okta-group based user management has been introduced in the new application

    To take advantage of these updates, you have to add a new instance of Browserstack in your Okta org. If you already have an existing instance of Browserstack, follow the steps below to migrate from that old instance to a newly updated instance of :

    1. Log in to your Okta org as an Admin.

    2. Open the Admin UI.

    3. Click on Add Applications Find browserStack app under applications on okta and add it to your okta tenant

    4. Add a new instance of BrowserStack BrowserStack Application page on Octa

    5. Configure the Single Sign-On and Auto user provisioning, as per respective documentations:

    6. After SCIM Provisioning has been enabled, go to the Import tab of your new Browserstack app instance. Select the old app as the source, and click Import Now. After SCIM Provisioning, go to import tab, select old app as source and click import now

    7. After the users have been downloaded from the old version of the Browserstack application, select the users you want to be created or linked in Okta, and then click on Confirm Assignments.

    8. A pop-up will appear asking if you would like to proceed with the assignment confirmation. Click Confirm.

    9. Users assigned on the old Browserstack application have been imported into the new app.
    Note:
    1. Once you have enabled the User Provisioning on the new Browserstack App, make sure that you disable User Provisioning from the old version of the Browserstack App. This is to ensure that you do not face any provisioning issues. We would suggest deactivating the old version once you have set up SSO and User Provisioning via the new application.
    2. If you were using SAML as the sign-on mode for your old Browserstack app instance, you will need to set up SAML on your new Browserstack app instance in Okta (recommended). If you do not, you would need to maintain the old Browserstack app instance to ensure that the SAML functionality continues to work.

    Troubleshooting

    Below is a list of possible errors that might be encountered and how to resolve them:

    Email already part of a different organization account on BrowserStack.

    Resolution: User is already present on BrowserStack under a different organization, please reach out to BrowserStack support to get that account deleted before provisioning the user to your current organization account. Auto User Provisioning - User already present

    Invalid Parameter Or Attribute

    Resolution: Role/Product is not a valid use-case, please use the attribute values provided above. Showing Invalid Parameter Role or Product is not a valid use-case

    Owner Deletion

    Resolution: Assign ownership to a different user before deletion of this user. Owner cannot be deleted, BrowserStack account needs a user to have Owner role assigned. Owner cannot be deleted error

    Incompatible Attributes

    Resolution: You are assigning incompatible user attributes, for example Owner cannot have a team assigned.

    Licenses Not Available

    Resolution: You have used up all your licenses for the product, please unassign users or add more licenses. Contact your Account Executive to get information on adding licenses. Error when the user doesn't have enough licenses for Browser-Testing or the user was not provisioned or updated in the organization

    Note: When a user is deactivated on Okta, the said user will be deleted from your BrowserStack account. Whenever the user is activated, a new user will be created on BrowserStack. This would lead to a new id being created.

    Escalation/Support

    Please connect with support@browserstack.com for any escalations or support.

    We're sorry to hear that. Please share your feedback so we can do better

    Contact our Support team for immediate help while we work on improving our docs.

    We're continuously improving our docs. We'd love to know what you liked






    Thank you for your valuable feedback

    • ON THIS PAGE

      Is this page helping you?

      Yes
      No

      We're sorry to hear that. Please share your feedback so we can do better

      Contact our Support team for immediate help while we work on improving our docs.

      We're continuously improving our docs. We'd love to know what you liked






      Thank you for your valuable feedback!

      We use cookies to enhance user experience, analyze site usage, and assist in our marketing efforts. By continuing to browse or closing this banner, you acknowledge that you have read and agree to our Cookie Policy, Privacy Policy and Terms of Service.

      Got it

      Talk to an Expert
      Download Copy