BrowserStack SSO with Azure AD | SAML

Integrate your Azure AD directory with BrowserStack to set up Single Sign-on

Introduction

Single Sign-on integrates an external user directory with your BrowserStack Group. This document describes how to configure Single Sign-on when Azure AD is your identity provider.

In this tutorial, you’ll learn how to integrate BrowserStack with Azure Active Directory (Azure AD). When you integrate BrowserStack with Azure AD, you can:

  • Control in Azure AD who has access to BrowserStack.
  • Enable your users to be automatically signed-in to BrowserStack with their Azure AD accounts.
  • Manage your accounts in one central location - the Azure portal.

To learn more about SaaS app integration with Azure AD, visit single sign-on with Azure AD documentation.

Prerequisites

To set-up and use Azure AD and BrowserStack Single Sign-on (SSO) feature:

  • An Azure AD subscription. If you don’t have a subscription, you can get a free account.
  • A user account in Azure AD with permission to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
  • Enterprise plan on BrowserStack.
  • By default, a user account with Owner permissions can setup SSO on BrowserStack.
Note: If required, Owner can also allow SSO setup access to one of the Admin(s). Learn more

Supported Features

The BrowserStack & Azure AD Single Sign-on integration currently supports the following features:

  Description
SP-initiated SSO: End users of organization can sign in using BrowserStack Login page and then sends an authorization request to the Identify Provider. Once the IdP authenticates the user identity, the user is logged into BrowserStack.
IdP-initiated SSO: End users of organization can log into the Identity Provider’s SSO page and then click on BrowserStack application icon to log into and open the BrowserStack.

Configuration Steps

A. Adding the BrowserStack app on Azure AD

To configure the integration of BrowserStack into Azure AD, you need to add BrowserStack from the gallery to your list of managed SaaS apps.

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
  2. On the left navigation panel, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications. Navigate to enterprise applications and then select all applications
  4. To add a new application, select New application.
  5. In the Add from the gallery section, type BrowserStack in the search box.
  6. Select BrowserStack from the results panel and then add the app. Wait for a few seconds while the app is added to your tenant.

B. Setting up the BrowserStack app on Azure AD App

  1. Click on Set up Single Sign-on card under Getting Started. Azure AD App set up Single Sign-on

  2. Sign-In to BrowserStack account as Owner.

  3. Go to Account -> Settings & Permissions page and select the Security tab. Click Configure under Single Sign On (SSO). Go to Account and click on Settings & Permissions and select the Security tab. Under Single Sign On (SSO), click Configure

  4. On the next screen, you will be shown all the Authentication services that BrowserStack supports, select SAML 2.0 and click Next. Authentication services that BrowserStack supports

  5. Choose Azure AD from the list of Identity Providers, and click Next. Azure AD

  6. Copy the following from this screen:
    a. SP initiated ACS URL
    b. IdP initiated ACS URL
    c. Entity ID Azure AD configurations settings

  7. Head back to Azure AD application, and edit Basic SAML Configuration. SAML Configuration on Azure AD application

  8. Paste the values from BrowserStack’s SSO Configuration page, as below:
    • Paste IDP initiated ACS URL under Reply URL (Assertion Consumer Service URL) and default check is set. Please note, this is for IdP Initiated SSO. You should leave this blank if you do not intend to set up IdP Initiated flow.
    • Paste SP initiated ACS URL under Reply URL (Assertion Consumer Service URL) and default check is false.
    • Paste Entity ID under Identifier (Entity ID). Setting up Basic SAML Configuration
  9. Save and Close.

  10. When you get a prompt, click on No, I will test later. When you get a prompt asking to Test single sign-on using Browserstack single sign-on, click on No, I will test later

  11. Next, edit User Attributes & Claims Azure edit user attributes and claims page Browserstack

  12. Under Choose name identifier format
    • Select Attribute
    • Enter user.mail (or whatever is the attribute for email address)
    • Click Save Manage claim form Azure SSO setup with Browserstack
  13. Copy the following from Set up BrowserStack Single Sign-on
    • Login URL
    • Logout URL Setting up BrowserStack Single Sign On
  14. Click on Download next to Federation Metadata XML, present in the SAML Signing Certificate. Download Federation Metadata XML
    • Open the file and copy the following
    • Public Certificate Image for copying public certificate
  15. Navigate back to BrowserStack configuration page and paste the following details:
    a. Login URL
    b. Logout URL
    c. Public Certificate Add the Login, Logout URL and the Public Certificate

  16. Click Next, opt for Advanced options (if needed) and Submit Advanced Setting form in SSO Settings on BrowserStack

Test & Enable

  1. Test the integration via Test Setup.

  2. You will be prompted towards Service Provider flow and your user will be authenticated via Azure AD. Test is successful upon completion of the SSO Authentication flow. SSO Verification Pending on BrowserStack Account Settings Page

  3. Upon successful test, you can enable the Single Sign-on feature for your Organization.
    You have the option of sending out a mail to all the members on BrowserStack, to inform them about this change, and a link to the new login URL.
    Click Enable to enable the feature. Enable Single Sign-on feature

  4. You will automatically be logged out of the BrowserStack, and redirected to log-in via SSO.

Note: You will need to assign the Group Owner’s email address on BrowserStack’s Azure AD app before you can test and enable it.

Troubleshooting

Error while testing (Type 1)

The user saved the configuration of the connection on the other application. Please make sure that the correct configuration is saved on the Azure AD app.

The user saved the configuration of the connection on the other application. Please make sure that the correct configuration is saved on the Azure AD app

User Mismatch

The user logged in on Azure AD and BrowserStack is different. Please make sure that you are using the same email to login on BrowserStack as well as the Azure AD.

Azure different email troubleshooting

Internal Error

In case of this error, please connect with us via support@browserstack.com.

Azure SSO internal error

Misconfigured ACS URL

The ACS URL submitted in the configuration is incorrect.

ACS incorrect url error

Note: Please connect with support@browserstack.com for any escalations or support.

We're sorry to hear that. Please share your feedback so we can do better







Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked






Thank you for your valuable feedback

Is this page helping you?

Yes
No

We're sorry to hear that. Please share your feedback so we can do better







Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked






Thank you for your valuable feedback!

Talk to an Expert
Talk to an Expert