BrowserStack SSO with Okta | SAML

Integrate your Okta directory with BrowserStack to set up Single Sign-on

Introduction

Okta’s integration with BrowserStack enables end-users to enable Single Sign-on for their BrowserStack account. Single Sign-on integrates an external user directory with your BrowserStack Group. This document describes how to configure Single Sign-on when Okta is your identity provider.

Prerequisites

To set-up and use BrowserStack’s Okta Single Sign-on (SSO) feature:

  • You need to have an Enterprise plan with BrowserStack.
  • To access the configuration/set-up on BrowserStack, you need to be Owner for your BrowserStack Group.
  • You need to have administrator access on your organization’s Okta instance.

Supported features

The Okta & BrowserStack Single Sign-on integration currently supports the following features:

  • SP-initiated SSO
  • IdP-initiated SSO
  • Group Assignment via Groups on Okta

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

A. SSO Setup Page

  1. Sign-In to BrowserStack account as Owner.

  2. Go to Account -> Settings & Permissions page and select the Security tab. 1-okta-setup-2

B. Initiate the set-up on BrowserStack

  1. Under Single Sign On (SSO), click Configure.

  2. On the next screen, you will be shown all the Authentication services that BrowserStack supports, select SAML 2.0, and click Next 2-okta-initiatesetup-2

  3. Choose Okta from the list of Identity Providers, and click Next. 3-okta-initiatesetup-3

  4. Copy the IDP initiated ACS URL. Keep this for next steps. 4-okta-initiatesetup-4

  5. For the next steps you will need the following details, which you will get from Okta (in the next steps):
    a. Sign-in URL
    b. Sign-out URL
    c. Public Certificate

C. Initiate the set-up on Okta

Adding the BrowserStack Application on Okta

  1. Go to Applications on Okta
  2. Add New Application
  3. Find BrowserStack, select the one with SAML 5-okta-initiateokta-1-c
  4. Click Add 6-okta-initiateokta-1-d-rectified
  5. Give this application an Application Label
    • Keep Do not display application icon to users unselected if you want to use IdP initiated SSO flow
    • Click Done 7-okta-initiateokta-1-e

Configuring App on Okta

  1. Go to Sign on tab
  2. Click Edit
    • Paste the IDP initiated the ACS URL in ACS Tenant
    • Select Email under Application username format 8-okta-initiateokta-2-b
  3. Click on View Setup Instruction. 9-okta-initiateokta-2-c
  4. Copy the following, for submitting on BrowserStack
    • Sign in URL 10-okta-initiateokta-2-d-1
    • Copy Public Certificate (Please copy only the certificate, and ignore the begin and end comments). 11-okta-initiateokta-2-d-2
    • Provision the app for BrowserStack Group Owner. Will be used to test the set-up before enabling Single Sign-on
  5. Paste the above values on BrowserStack
    • Sign in URL in Sign-in URL on BrowserStack.
    • Copy Public Certificate, please copy only the certificate, and ignore the begin and end comments. 12-okta-initiateokta-2-e
  6. Click Next
  7. Select update profile option as per choice 13-okta-initiateokta-2-g

Test & Enable

  1. Test the integration via Test Setup 14-okta-testenable-a

  2. You will be prompted towards Service Provider flow and your user will be authenticated via Okta. The test is successful upon completion of the SSO Authentication flow.

  3. Upon a successful test, you can enable the Single Sign-on feature for your Organization.
    You have the option of sending out a mail to all Group members on BrowserStack, to inform them about this change, and link to the new login URL
    • Click Enable to enable the feature. 15-okta-testenable-c
  4. You will automatically be logged out of the BrowserStack, and redirected to log-in via SSO.
Note: You will need to assign the Group Owner’s email address on BrowserStack’s Okta app before you can test and enable it.

Troubleshooting

Error while testing (Type 1)

The BrowserStack/Okta configuration for this Group has been saved by a different application.

Resolution: Please make sure that the correct configuration is saved on Okta app.

16-troubleshooting-a

User Mismatch

The user provisioned on the Okta App does not have the same email as BrowserStack’s Group Owner.

Resolution: Kindly make sure that the Okta’s provisioned user is the same as BrowserStack’s Group Owner.

17-troubleshooting-b

Internal Error

This is an internal error, please connect with Support/AE/SE team

18-troubleshooting-c

Incorrect ACS URL on Okta App

Resolution: Please check the ACS URL submitted on Okta

19-troubleshooting-d

Note:
  1. User provisioning: Integrate Okta via SCIM to manage users. To configure, visit documentation.
  2. Please connect with support@browserstack.com for any escalations or support.

We're sorry to hear that. Please share your feedback so we can do better






Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked





Thank you for your valuable feedback

Is this page helping you?

Yes
No

We're sorry to hear that. Please share your feedback so we can do better






Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked





Thank you for your valuable feedback!

Talk to automation expert