Skip to main content

Setting Up SSO

Enterprise Plans only

Sauce Labs supports Identity Provider (IdP)-initiated and Service Provider (SP)-initiated Single Sign-On (SSO) via SAML 2.0 protocol. This feature allows your authorized employees to access Sauce Labs in a moderated fashion, as an alternative to using credentials. SAML SSO is available to invoiced accounts, and can only be implemented by the organization admin of the account. If you are an invoice customer, the following sections will guide you on how to set up SAML SSO.

What You'll Need

  • An enterprise license for Sauce Labs
  • Organization admin access (see User Roles for more information)

Setup Overview

First, set up a new SAML application in your Identity Provider (IdP). Next, enable and configure SSO in Sauce Labs Team Management Panel.


SSO at Sauce Labs is global. In other words, it does not matter in which region you set it up. Unlike to the former SSO implementation, which has been deprecated.

Setting Up Identity Provider


We provide preconfigured SAML applications for some identity providers. They allow you to set up SSO integration with a few clicks. Choose your provider and follow the configuration steps:

If you use a custom identity provider or your provider does not appear in the list above, please complete the manual setup:

  1. Obtain SAML metadata from Sauce Labs Service Provider, which is served under this link.
  2. Log in to your identity provider administrator panel.
    • For example in Okta, you log into your account and click the Admin button.IdP Admin Login
  3. Create a new SAML application.
    • In the IdP, go to the "Applications" or "Integrations" section and create a new SAML application.
    • Follow the instructions from your IdP to provide the Sauce Labs SAML metadata obtained in Step 1. If your IdP does not allow uploading service provider metadata, set up the integration manually using Service Provider SAML Requirements.
  4. Export SAML metadata of your new SAML application.

Service Provider SAML Requirements

Here is the list of settings that are required by Sauce Labs Service Provider:

Entity ID
Audience URI
Assertion Consumer Service
Recipient URL
Destination URL
Name ID formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress


Either the SAML Assertion or SAML Response must be signed.

A digital signature is required to ensure that only your IdP generated the assertion.


Encryption of the SAML Assertion is not mandatory.

You can enable encryption if you want an additional layer of security. You will need to use the certificate (with alias encryption) from the Sauce Labs metadata.


Possible Issues

If you start to see errors after enabling encryption, make sure that you use the encryption certificate that is provided in Sauce Labs metadata (in the tag <KeyDescriptor use="encryption">) and the encryption algorithm matches the algorithm provided in Sauce Labs metadata (value of the attribute Algorithm in the tag EncryptionMethod).

Name ID

Name ID format must be set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

The value of the attribute NameID in SAML Response must be a valid email address. We do not accept values which are not email addresses, for instance usernames, IDs, etc.

SAML Claims

Sauce Labs Service Provider does not require any extra attributes in the SAML Response.

Certificate rotation


This section is relevant only for identity providers that enabled encryption of SAML Assertions.

If you enabled encryption of SAML Assertions in your IdP, you must upload the certificate that is provided in Sauce Labs metadata.

The certificate is valid for one year. 120 days before the expiration date the new certificate will be available in Sauce Labs metadata. Upload the new certificate in your IdP.

If you encounter any issues during the certificate rotation, you can safely go back to the old certificate (until the expiration date). Both certificates will work.


If you do not replace the encryption certificate in your IdP on time, once the certificate expires, any user from your organization will not be able to authenticate via SSO.

Integrating With Sauce Labs Service Provider

  1. On Sauce Labs, click Account, and then click Team Management.
Team Management Menu
  1. On the Organization Management page, in the ORGANIZATION SETTINGS section, click View Settings.
Organization Setting Button
  1. On the Organization Settings page, click the SINGLE SIGN-ON tab.
  1. Upload the SAML metadata file provided by your IdP.
Upload Metadata Button
  1. In the Status section, toggle the switch to Enabled. For more information about adding new users and SSO considerations, see Adding and Deactivating Users.
Enable SSO
  1. Test the integration.

Email domains

We strongly recommend that you assign your company email domains to your Sauce Labs organization. This allows users who do not have an account at Sauce Labs to initiate SSO at the Sauce Labs login page.

SSO Login Button
Contact support to assign email domains to your organization.

You can assign multiple domains.

Enforce SAML SSO

As an additional security measure, you can require users from your organization to sign in only via SAML SSO (IdP and SP-initiated flow). All other authentication methods will not be allowed.

You can toggle this setting in SSO settings:

SSO Required

Just-In-Time (JIT) Provisioning

Organization admins do not have to manually create accounts at Sauce Labs for new SSO users. JIT makes the onboarding process much more efficient.

New users can sign up via SP or IdP-initiated SSO and the new accounts at Sauce Labs will be created automatically.

Team placement

Users who are created via SSO are placed into the default team.

Organization admins can assign users to other teams.

Unsupported features

The following SSO-related features are currently not supported:

  • SCIM (System for Cross-domain Identity Management)
  • SLO (Single Logout)
  • a staging environment for pre-integration testing of SSO
  • integration with multiple identity providers in a single Sauce Labs organization