Set up Self-Service Single Sign-On (SSO)

Self-service Single Sign-On (SSO) allows you to set up and manage your SSO settings by logging in to UserTesting with your corporate credentials.

This article applies to: ut logo tiny.pngUserTesting 

On this page:

 


 

About SSO

  • Centrally manage your company’s UserTesting account to make sure the right team members have access to the UserTesting platform. 
  • Self-service Single Sign-On eliminates security risks associated with multiple logins. 
  • If you use Okta, or certain other identity providers, your IT/Security team might need UserTesting to provide our metadata first before you can create your own.

    • In these cases, feel free to use fake or dummy metadata for us (for example, Audience URI = URI, ACS URL = https://url).

    • We'll provide you with the correct metadata later on in this process.

 

 

Set up SSO

  1. Navigate to Settings, then to the Security tab
  2. Ensure you have the metadata from your identity provider and access to troubleshooting resources from your IT security team before you begin. Then select Set Up
    Screenshot 2023-10-16 at 10.59.16 AM.png
  3. Confirm your company’s email domain, which is the same as the domain you used to sign in. Click Confirm.
    Screenshot 2023-10-16 at 11.08.39 AM.png

  4. Next, select an identity protocol to set up your SSO: SAML or OIDC.Screenshot 2023-10-16 at 11.08.39 AM.pngNote: If you select SAML, you'll need to enter your organization’s identity provider’s Metadata URL and XML or upload an XML metadata file. You might need to contact your IT or Security team to obtain this metadata.

    Please note:  If you use Okta, or certain other identity providers, your IT/Security team might need UserTesting to provide our metadata first before you can create your own. In these cases, feel free to use fake or dummy metadata for us (for example, Audience URI = URI, ACS URL = https://url). We'll provide you with the correct metadata later on in this process.
  5. If you select SAML, you'll have three options for entering the required information.
    Option 1: Provide a URL for the location of the Metadata XML file.Screenshot 2023-10-16 at 11.09.27 AM.png
    Option 2: Paste the Metadata XML directly, or upload a Metadata XML file from your computer.
    Screenshot 2023-10-16 at 11.09.55 AM.png
    Option 3: Provide the required fields manually. If you upload a certificate, it must be in a .pem or .crt file format. 
    Screenshot 2023-10-16 at 11.10.16 AM.png

    Please set your relay state (startURL) to https://app.usertesting.com/sessions/from_idp if you want to enable IDP-initiated login. The relay state should be encoded in the SSO URL.

    If you select OIDC, you'll enter the following metadata components from your organization’s identity provider: well-known URL, well-known file, client ID, and client secret.sso_6.png

  6. Prepare your organization’s identity provider for SSO setup. In your organization’s identity provider, set Name ID format to EmailAddress.
  7. In SAML assertions, include first name, last name, and email address as attributes.
  8. Then, copy and paste the metadata components on the Copy to identity provider page into respective fields in your organization’s identity provider. Select Finish when you are done.
    Note: You can also download the metadata as an XML file for sharing.
    sso_7.png
  9. The Security page will update to show that SSO has been activated.sso_8.png
  10. If you need to disable SSO for any reason, select the toggle in the Single Sign-On (SSO) area.
    sso_9.png
  11. When SSO is enabled, and once you enter your email, you'll be redirected to the IDP that has been configured.
    NewLogin Page.jpg

Best practices

  • We recommend testing SSO in a separate private browser window, so you can still disable it if login is unsuccessful and we need to troubleshoot further.
  • If you're having trouble setting up SSO, we can set it up for you manually. Send your request to Support via this form with the subject “SSO Request.”

 

 

FAQs

After enabling SSO, how can I update my IDP certificate in the future?

Currently, the only way to edit your configuration after it’s enabled is to delete it and start over with a new one. We recommend reaching out to our Support team if you need to update the certificate and keep everything else unchanged. 

Is just-in-time provisioning supported?

Yes, JIT (just-in-time provisioning) is available. If it’s enabled, anytime a brand new user tries to log in, we automatically provision them, add them to your account’s General workspace, and log them in. Please contact Support if you have further questions about this feature.

How is the access managed within UserTesting for end users?

You can manage user permissions and access in our application. We don’t support SCIM provisioning or managing access through SAML assertions yet.

Can I add more domains to my SSO configuration?

We’ll use a routing rule to enforce SSO login, and by default, we use your own email domain. However, you can contact our Support team to add more domains as needed.

How do we remove users when they leave?

To remove users, please remove them from your IDP. Additionally, you can remove them from your dashboard to free up licenses they may have been using.  For more information, read the article Adding or removing team members.

 

 

Related content

information icon.png

knowledge icon.png

Want to learn more? Check out these Knowledge Base articles... 

Interested in growing your skills? Check out our University courses...

video icon 2.png

team icon.png

Need hands-on training?

Can't find your answer?

 

 

Please provide any feedback you have on this article. Your feedback will be used to improve the article and should take no more than 5 minutes to complete. Article evaluations will remain completely confidential unless you request a follow-up. 

Was this article helpful?
0 out of 0 found this helpful