Skip to main content

Setting Up Single Sign-On

ENTERPRISE PLANS ONLY

Sauce Labs supports Identity Provider (Idp)-initiated Single Sign-On (SSO). This feature allows your authorized employees to access Sauce Labs in a moderated fashion, as an alternative to using credentials. SSO is available to invoiced accounts, and can only be implemented by the organization admin of the account. If you are an invoice customer, the following sections will guide you on how to set up SSO.

What You'll Need#

  • An enterprise license for Sauce Labs
  • Organization admin access (see User Roles for more information)
  • To export the SAML metadata file for your identity provider
  • To be able to use IdP-initiated SAML for this feature

SAML2.0 Metadata File#

Before you can set up SSO, you'll need to export the SAML metadata file for your identity provider and upload it to Sauce Labs when you're configuring SSO.

The SAML metadata file is an XML file that is generated by your IdP and contains information required to establish the link between it and Sauce Labs SSO. The admin for your IdP should be able to provide this file for you. The EntityID attribute must be included in your XML file, set to the Issuer URL (for example, https://www.yourcompany.com/sso-prod), for the integration to work correctly.

SAML2.0 SAML Response Payload#

The following attributes must be included in your SAML assertion, with the expected values, for the integration to work correctly.

AttributesExpected ValueExample
IssuerURL identifying your organizationhttps://www.yourcompany.com/sso-prod
NameIDUser's email addressjohn.smith@yourcompany.com

NameID Specification#

By default, many IdPs don't set the NameID attribute to be the email address of the user. If the value for this attribute is something other than an email address, you can still integrate your IdP with Sauce SSO.

We recommend setting it to the email address, as this makes it easier to manage through the IdP. When the SSO user name is created, only the section preceding the @ is used. For example, from the email john.smith@yourcompany.com, only john.smith would be used.

If the saml:NameID field contains only a user name and no @ symbol, then the SSO username will be based on your Domain Name. If your domain was sauce and the field value was john.smith, the SSO user name would be sso-sauce-john.smith.

AudienceRestriction#

This is a required attribute within the SAML assertion that indicates the specific users the assertion is intended for. It must be equal to the value of entityID from SauceLabs metadata based on your data center. For details, see the Single Sign-On Configuration section in Data Center Endpoints.

Configuration Information for SSO#

The Signing/Encryption Certificate and Entity AssertionConsumeURLs required for configuring Sauce Labs SSO vary based on your data center. For details, see Data Center Endpoints. Here are some things to be aware of:

  • The Assertion/Issuer Name is Sauce Labs
  • Sauce Labs does not provide a staging environment for pre-integration testing of SSO
  • Single logout is not supported, but all sessions time out after 30 minutes of inactivity