Setting Up Single Sign-On (Deprecated Flow)
Deprecated
Enterprise Plans only
This SSO flow has been deprecated
. Use this documentation only if your organization was not migrated to the new SSO.
If you do not have any SSO integrations set up at Sauce Labs and you wish to establish a new integration, see Setting Up SSO to get started.
If you have previously implemented the deprecated SSO integration and wish to migrate to the new SSO implementation, see the step-by-step migration guide.
How Do I Know If My Organization Uses The Deprecated SSO Integration?
- The Service Provider entity ID (Issuer) in your Identity Provider configuration is set to either
https://saucelabs.com/sso/metadata
orhttps://eu-central-1.saucelabs.com/sso/metadata
. - The Assertion Consumer Service (ACS) URL in your Identity Provider configuration is set to one of the following values:
https://app.saucelabs.com/sso/acs
https://saucelabs.com/sso/acs
https://app.eu-central-1.saucelabs.com/sso/acs
https://eu-central-1.saucelabs.com/sso/acs
- The configuration panel for the deprecated SSO is different from the new one. The deprecated one looks as following: While the configuration panel of the new SSO looks as following:
Sauce Labs supports Identity Provider (Idp)-initiated Single Sign-On (SSO). This feature allows your authorized employees to access Sauce Labs in a moderated fashion, as an alternative to using credentials. SSO is available to invoiced accounts, and can only be implemented by the organization admin of the account. If you are an invoice customer, the following sections will guide you on how to set up SSO.
What You'll Need
- An enterprise license for Sauce Labs
- Organization admin access (see User Roles for more information)
- To export the SAML metadata file for your identity provider
- To be able to use IdP-initiated SAML for this feature
SAML2.0 Metadata File
Before you can set up SSO, you'll need to export the SAML metadata file for your identity provider and upload it to Sauce Labs when you're configuring SSO.
The SAML metadata file is an XML file that is generated by your IdP and contains information required to establish the link between it and Sauce Labs SSO. The admin for your IdP should be able to provide this file for you. The EntityID attribute must be included in your XML file, set to the Issuer URL (for example, https://www.yourcompany.com/sso-prod), for the integration to work correctly.
SAML2.0 SAML Response Payload
The following attributes must be included in your SAML assertion, with the expected values, for the integration to work correctly.
Attributes | Expected Value | Example |
---|---|---|
Issuer | URL identifying your organization | https://www.yourcompany.com/sso-prod |
NameID | User's email address | john.smith@yourcompany.com |
NameID Specification
By default, many IdPs don't set the NameID attribute to be the email address of the user. If the value for this attribute is something other than an email address, you can still integrate your IdP with Sauce SSO.
We recommend setting it to the email address, as this makes it easier to manage through the IdP. When the SSO user name is created, only the section preceding the @ is used. For example, from the email saucebot@yourcompany.com, only saucebot would be used.
If the saml:NameID field contains only a user name and no @ symbol, then the SSO username will be based on your Domain Name. If your domain was sauce and the field value was saucebot, the SSO user name would be sso-sauce-saucebot.
AudienceRestriction
This is a required attribute within the SAML assertion that indicates the specific users the assertion is intended for. It must be equal to the value of entityID from SauceLabs metadata based on your data center. For details, see the Single Sign-On Configuration section in Data Center Endpoints.
Configuration Information for SSO
The Signing/Encryption Certificate and Entity AssertionConsumeURLs required for configuring Sauce Labs SSO vary based on your data center. For details, see Data Center Endpoints. Here are some things to be aware of:
- The Assertion/Issuer Name is Sauce Labs
- Sauce Labs does not provide a staging environment for pre-integration testing of SSO
- Single logout is not supported, but all sessions time out after 30 minutes of inactivity