BrowserStack user provisioning using Open SCIM

Connect your IdP with BrowserStack’s SCIM connector

Introduction

BrowserStack’s Open SCIM connector, based on System for Cross-domain Identity Management (SCIM) standard, enables end-users to enable Auto User Provisioning for their account. This document describes how to configure Auto User Provisioning.

Prerequisites

  • You need to have an Enterprise plan with BrowserStack.
  • To access the configuration/set-up on BrowserStack, you need to be the Owner for your BrowserStack Group.
  • You need to have administrator access to your organisation’s IdP.
  • Your SSO needs to be enabled before User Provisioning. Follow the instructions to set up SSO .

Supported Features

The BrowserStack’s User Provisioning integration currently supports the following features:

  • User provisioning & de-provisioning
  • User’s Browserstack role assignment
  • User’s Browserstack product access
  • User’s Browserstack team membership
Note: Role, product and team assignment capability will depend on supported configurations on your Identity Provider.

Open SCIM Endpoints

Service Provider Configuration

The Service Provider Config endpoint provides metadata indicating the BrowserStack Server’s authentication scheme and its support for optional or configurable SCIM features. Service Provider Config objects are defined by RFC 7643, section 5.

GET https://www.browserstack.com/scim/v2/ServiceProviderConfig

Resource Types

The Resource Types endpoint lists all of the SCIM resource types configured for use on this BrowserStack Server. Clients may use this information to determine the endpoint, core schema, and extension schemas of any resource types supported by the server. This endpoint does not provide resource type information about SCIM sub-resources.

The response is formatted as a list response, with one or more resource type objects in the Resources field. Resource type objects are defined by RFC 7643, section 6.

GET https://www.browserstack.com/scim/v2/ResourceTypes

User Resource Type

The Resource Type endpoint retrieves a specific SCIM resource type, specified by its ID (we only support User resource). Resource type objects are defined by RFC 7643, section 6. This endpoint does not provide resource type information about SCIM sub-resources.

GET https://www.browserstack.com/scim/v2/ResourceTypes/User

Schemas

The Schemas endpoint lists the SCIM schemas configured for use on this BrowserStack Server, which define the various attributes available to resource types. This endpoint does not provide schema information about SCIM sub-resources.

The response is formatted as a list response, with one or more schema objects in the Resources field. Schema objects are defined by RFC 7643, section 7.

GET https://www.browserstack.com/scim/v2/Schemas

Individual Schema

The Schema endpoint retrieves a specific SCIM schema, specified by its ID (we only support User Schema), which is always a URN. Schema objects are defined by RFC 7643, section 7, section 7. This endpoint does not provide schema information about SCIM sub-resources.

GET https://www.browserstack.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User

Get your access keys

  1. Sign In to BrowserStack account as Owner.

  2. Go to Settings & Permissions under Account. Select the Security tab.

  3. Under Auto User Provisioning, select Configure. Click on configure button under Auto User Provisioning

  4. Select the user attributes that you want to control via IdP. Ensure that these attributes are supported by your IdP. Go to the next screen: Select attributes for user provisioning

  5. Copy the credentials, will be used on your IdP for authentication
    • SCIM Base URL: The SCIM URL of BrowserStack server https://www.browserstack.com/scim/v2
    • Authorization Details: We support Authorization Header as authorization type with Basic as well Bearer token method for authorization and does not enforce specific methods for authorization.
      • For basic authorization: Copy User name and Access key from the BrowserStack and configure it on the connector.
      • For bearer token authorization: Copy Access key from the BrowserStack and configure it on the connector. BrowserStack Account Settings Page having OpenSCIM configuration details
  6. Save and Enable on BrowserStack, once you have set it up on your Identity Provider Auto User Provisioning - Save and Enable Configuration

  7. Verify/Test on your identity provider (IdP) to check the configuration.
Note: Configuration steps for each Identity Provider would vary. We would suggest going through the support documentation for System for Cross-domain Identity Management (SCIM) standard on your IdP

Set-up on your Identity Provider

  1. Find SCIM Connector on your IdP.
  2. Follow the steps to configure it, or use the details in Open SCIM endpoints section to configure it.
  3. Make sure that you configure the following in the connector:
    a. SCIM Base URL: The SCIM URL of Browserstack server https://www.browserstack.com/scim/v2
    b. Authorization Details: We support Authorization Header as authorization type with Basic as well Bearer token method for authorization and does not enforce specific methods for authorization.
    • For basic authorization: Copy User name and Access key from the Browserstack and configure it on the connector.
    • For bearer token authorization: Copy Access key from the Browserstack and configure it on the connector.
  4. Click on Verify / Test to check the configurations.

Custom Attributes

In order to control Role, Team and Product Access from IdP, add the following attributes on IdP’s end:

Team Assignment

  1. Attribute Name: primary_team
  2. External Name: bstack_team
  3. The default assignment is Group User in case of the following:
    • Empty/No value or
    • Attribute controlled by BrowserStack UI
  4. Expected values when attribute controlled by OpenSCIM:
Attribute Value Team Update
team_name The user gets added to the existing team if a team exists with the same name. Otherwise, a new team will be created with the passed attribute value.
No value/Empty The user is assigned as part of Group

Role Assignment

  1. Attribute Name: primary_role
  2. External Name: bstack_role
  3. The default assignment is User in case of the following:
    • Unexpected/Empty/No value or
    • Attribute controlled by BrowserStack UI
  4. Expected values when attribute controlled by OpenSCIM:
Attribute Value Role Update
User User will be assigned
Admin Admin will be assigned
Owner Owner will be assigned. The current owner will be replaced with the new owner. The current owner will become a user.
No Value
Empty or Any other value
The user is created as User by default.

Product Assignment

  1. Attribute Name: primary_product
  2. External Name: bstack_product
  3. The default assignment is no product access in case of the following:
    • Unexpected, empty or no value
    • Attribute controlled by BrowserStack UI
  4. Expected values when attribute controlled by OpenSCIM:
Attribute Value Product Update
Browser-Testing Live
Automate
Visual-Testing Percy
Automate-Testing Automate
Live-Testing Live
Mobile-App-Testing App Live
App Automate
App-Automate-Testing App Automate
App-Live-Testing App Live
Note: Multiple values can be passed for product access in a comma-separated string. Example: Browser-Testing,Visual-Testing

To know the structure of the custom attributes then Hit the following Endpoint:

GET https://www.browserstack.com/scim/v2/Schemas

Troubleshooting

We would suggest that as a first step, please put all the users you currently have on the BrowserStack account into the IdP connector app via the assignment tab. This would avoid any discrepancies between the user lists on your IdP and Browserstack.

User Already Present On BrowserStack

Resolution: User already presents on BrowserStack under a different organization, please get the account deleted before provisioning the user.

Troubleshooting user already present on BrowserStack under a different organization

Invalid parameter/attribute values passed for Role or Product

Resolution: Role/Product is not a valid use-case, please use the attribute values provided above.

Troubleshooting invalid params screenshot

Owner Deletion

Resolution: Assign ownership to a different user before deletion of this user. The owner cannot be deleted, BrowserStack account needs a user to have Owner role assigned.

Owner cannot be deleted without reassigning ownership

Note: Owner cannot be directly deleted via the IdP. Please assign the owner role to another user via Browserstack UI or IdP, and then delete the old owner.

Incompatible Attributes

Resolution: You are assigning incompatible user attributes, for example, the Owner cannot have a team assigned.

Licenses Not Available

Resolution: You have used up all your licenses for the product, please unassign users or add more licenses. Contact your Account Executive to get information on adding licenses.

Not enough licenses available for provisioning the user

Note: When a user is deactivated on your IdP, the said user will be deleted from your BrowserStack account. Whenever the user is activated, a new user will be created on BrowserStack. This would lead to a new id being created.

Escalation/Support

Please connect with support@browserstack.com for any escalations or support.

We're sorry to hear that. Please share your feedback so we can do better







Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked






Thank you for your valuable feedback

Is this page helping you?

Yes
No

We're sorry to hear that. Please share your feedback so we can do better







Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked






Thank you for your valuable feedback!

Talk to an Expert
Talk to an Expert