How to Set up Self-Service Single Sign-On (SSO)

 

At a Glance

Self-service Single Sign-On (SSO) allows you to set up and manage your SSO settings by logging in to UserTesting with your corporate credentials.

 

Centrally manage your company’s UserTesting account to ensure that the right team members have the proper access to the UserTesting platform. Self-service Single Sign-On eliminates security risks associated with multiple logins. 

How do I set up my SSO?

1. Navigate to the Security page under Settings. Ensure you have the metadata from your identity provider and access to troubleshooting resources from your IT security team before you begin. Then click Set Up

Screenshot 2023-10-16 at 10.59.16 AM.png

2. Confirm your company’s email domain, which is the same as the domain you used to sign in. Click Confirm.

Screenshot 2023-10-16 at 11.08.39 AM.png

3. Next, select an identity protocol to set up your SSO: SAML or OIDC.

Screenshot 2023-10-16 at 11.08.39 AM.png

If you select SAML, you will need to enter your organization’s identity provider’s Metadata URL and XML or upload an XML metadata file. You might need to reach out to your IT or Security team to obtain this metadata.

Please note:  If you use Okta, or certain other identity providers, your IT/Security team might need UserTesting to provide our metadata first before you can create your own. In these cases, feel free to use fake or dummy metadata for us (for example, Audience URI = URI, ACS URL = https://url). We'll provide you with the correct metadata later on in this process.

4. If you select SAML, you will have three options for entering the required information. With Option 1, you can provide a URL for the location of the Metadata XML file.

Screenshot 2023-10-16 at 11.09.27 AM.png

With Option 2, you can paste the Metadata XML directly, or upload a Metadata XML file from your computer.

Screenshot 2023-10-16 at 11.09.55 AM.png

With Option 3, you can provide the required fields manually. If you upload a certificate, it must be in a .pem or .crt file format. 

Screenshot 2023-10-16 at 11.10.16 AM.png

Please set your relay state (startURL) to https://app.usertesting.com/sessions/from_idp if you want to enable IDP initiated login. The relay state should be encoded in the SSO URL.

If you select OIDC, you will need to enter the following metadata components from your organization’s identity provider: well-known URL, well-known file, client ID, and client secret.

sso_6.png

5. In the last step, prepare your organization’s identity provider for SSO setup. In your organization’s identity provider, set Name ID format to EmailAddress. In SAML assertions, include first name, last name, and email address as attributes. Then, copy and paste the metadata components on the Copy to identity provider page into respective fields in your organization’s identity provider. Click Finish when you are done.

Note: You can also download the metadata as an XML file for sharing.

sso_7.png

6. The Security page will update to show that SSO has been activated.

sso_8.png

7. If you need to disable SSO for any reason, select the toggle in the Single Sign-On (SSO) area.

sso_9.png

As a best practice, we recommend testing SSO in a separate private browser window, so you can still disable it if login is unsuccessful and we need to troubleshoot further. If you're having trouble setting up SSO, we can set it up for you manually. Send your request to Support via this form with the subject “SSO Request.”

When SSO is enabled, and once you enter your email, you will be redirected to the IDP that has been configured.

 

NewLogin Page.jpg

 

Frequently Asked Questions

Is just-in-time provisioning supported?

Yes, JIT (just-in-time provisioning) is available. If it’s enabled, anytime a brand new user tries to log in, we automatically provision them, add them to your account’s General workspace, and log them in. Please contact Support if you have further questions about this feature.

How is the access managed within UserTesting for end users?

You can manage user permissions and access in our application. We don’t support SCIM provisioning or managing access thru SAML assertions yet.

Can I add more domains to my SSO configuration?

We’ll use a routing rule to enforce SSO login, and by default, we use your own email domain. However, you can contact our Support team to add more domains as needed.

How do we remove users when they leave?

To remove users, please remove them from your IDP. Additionally, you can remove them from your dashboard to free up licenses they may have been using.  For more information, read the article Adding or Removing Team Members.

 

Learn More

Need more information? Read these related articles.

Want to learn more about this topic? Check out our University courses.

 

Please provide any feedback you have on this article. Your feedback will be used to improve the article and should take no more than 5 minutes to complete. Article evaluations will remain completely confidential unless you request a follow-up. 

Was this article helpful?
0 out of 0 found this helpful