Skip to main content

BrowserStack SSO with Open SAML 2.0

Integrate your Identity Provider with BrowserStack to set up Single Sign-on


Open SAML 2.0 integration with BrowserStack enables end-users to enable Single Sign-on for their BrowserStack account. Single Sign-on integrates an external user directory with your BrowserStack Group. This document describes how to configure Single Sign-on using Open SAML 2.0 in your identity provider.


To set-up and use Open SAML 2.0 - BrowserStack Single Sign-on (SSO):

  • You need to have an Enterprise plan with BrowserStack.
  • You need to have administrator access on your organization’s Okta instance.
  • By default, a user account with Owner permissions can setup SSO on BrowserStack.
Note: If required, Owner can also allow SSO setup access to one of the Admin(s). Learn more

Supported Features

The Open SAML 2.0 & BrowserStack Single Sign-on integration currently supports the following features:

  • SP-initiated SSO (availability dependent on IdP)
  • IdP-initiated SSO

Configuration Steps

SSO Setup Page

  1. Log-in to BrowserStack as Owner.

  2. Go to Account > Security and select Authentication from the side-nav menu. Configure SSO Step 1

Initiate the set-up on BrowserStack

  1. Under Single Sign On (SSO), click Configure.

  2. On the next screen, you will be shown all the Authentication services that BrowserStack supports, select SAML 2.0, and click Next. SSO SAML authentication

  3. Choose Open SAML 2.0 from the list of Identity Providers, and click Next. SSO Select SAML Identity Provider

  4. Copy the following information to configure your IdP. Depending upon your IdP, some/all of the information may be needed:
    • IdP Initiated SSO URL
    • SP Initiated SSO URL
    • Entity ID Configuring IdP
  5. For the next steps, you will need
    • Sign-in URL
    • Sign-out URL
    • Public Certificate
    • IdP Name

Initiate the set-up on your Identity Provider

  1. Set up SAML 2.0 connector on your IdP using your IdPs SAML integration steps.

  2. Make sure that you configure the following in the setup:
    • IdP Initiated SSO URL, SP Initiated SSO URL and Entity ID as per BrowserStack.
    • Create an email address attribute (claim/outgoing attributes in SAML), and select NameID format as email address.
    • Important: If your IdP considers only one ACS URL, please use the IdP initiated ACS SSO URL
      • Add both URLs only if multiple ACS URL are supported.
      • Give precedence to IdP initiated SSO URL, and make it default.
      • If the IdP validates incoming ACS URL, then either remove the validation or use the SP Initiated URL. As, some Identity Providers may throw errors if they allow only one ACS URL to be configured and you use IdP initiated ACS URL.
        By removing validation, both IdP initiated and SP initiated flows will work.
    • You have assigned the application/connector to BrowserStack account’s owner.
    • The sign-out URL is not mandatory. If your IdP supports only Signed Logout requests, leave this field blank.
    • Check/Enable the signed ACS assertion and signed ACS response option. The option might be available under Advanced Settings in certain IdPs.
  3. Copy the following from your Identity Provider:
    • Sign-in URL
    • Sign-out URL
    • Public Certificate
    • IdP Name (Please give the commercial name of the Identity Provider for records)
  4. Paste the above values in BrowserStack. Paste the above values in browserstack

  5. Click Next

  6. Click Next to proceed to the Advanced options section. Here, you will be able to configure your SSO settings as either Required or Optional. This allows you to choose the level of SSO enforcement that suits your organization’s needs.
    • Required (default): Choose this option if you want to ensure that your team members must sign in to BrowserStack using SSO. Their BrowserStack credentials will no longer work. However, owners can still sign in using either of their SSO or BrowserStack credentials.

    • Optional: Opt for this setting if flexibility is your priority. With SSO configured as Optional, your team members can sign in using either their SSO or BrowserStack credentials. Additionally, you can choose to extend this flexbility only to some team members. Simply specify domains of members to exclude from Optional setting and all users from those domains will be required to login using SSO only. Advanced SSO settings

Test & Enable

  1. Test the integration via Test Setup. Testing integration on Account Settings Page of BrowserStack

  2. You will be prompted towards Service Provider flow and your user will be authenticated via your Identity Provider. The test is successful upon completion of the SSO Authentication flow.

  3. Upon a successful test, you can enable the Single Sign-on feature for your Organization.
    You have the option of sending out a mail to all Group members on BrowserStack, to inform them about this change, and link to the new login URL
    Click Enable to enable the feature. Enable Single Sign-on feature

  4. You will automatically be logged out of the BrowserStack, and redirected to log-in via SSO.

Note: You will need to assign the Group Owner’s email address on Identity Provider’s SAML app for BrowserStack before you can test and enable it.


User Mismatch

The user provisioned on the Identity Provider does not have the same email as BrowserStack’s Group Owner.

Resolution: Kindly make sure that the IdP’s provisioned user is the same as BrowserStack’s Group Owner.

Email mismatch between BrowserStack and IdP error. Make sure that the IdP's provisioned user is the same as BrowserStack’s Group Owner

Internal Error

This is an internal error, please connect with Support/AE/SE team.

Troubleshooting Internal errors while logging-in with SSO

Incorrect ACS URL on Identity Provider

Resolution: Please check the ACS Url submitted on your Identity Provider.

Screenshot if ACS url is incorrect

Misconfigured ACS 401 Error

Incorrect ACS URL error on Ping Identity

Note: Please connect with for any escalations or support.

We're sorry to hear that. Please share your feedback so we can do better

Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked

Thank you for your valuable feedback

Is this page helping you?


We're sorry to hear that. Please share your feedback so we can do better

Contact our Support team for immediate help while we work on improving our docs.

We're continuously improving our docs. We'd love to know what you liked

Thank you for your valuable feedback!

Talk to an Expert
Download Copy