How do I set up SSO for my domain?
- Send your request to Support via this form with the subject "SSO Request." In the body of the message, please include your SAML metadata:
- The email domain (s) for which you want SSO enabled
- Identity provider Entity Id
- Identity provider SSO URL
- Identity provider certificate (preferably in .cer or .pem format)
- Please configure the following settings in your Identity provider (IDP):
- Set Name ID format to EmailAddress
- Add firstName, lastName, and email as separate attributes sent in SAML assertions
- Set the relay state to https://app.usertesting.com/sessions/from_idp
Our Support team will work with you to set up the SSO connection manually, and then test logging in.
Once SSO is enabled, everyone using UserTesting with your email domain will need to log in using SSO. In other words, if the domain is "company.com," everyone with an @company.com address will be required to use SSO.
Frequently asked questions
Q: What NameID format should we set?
A: We expect "username" to be sent as an email address.
Q: Are there any additional attribute(s) I need to send?
A: Yes, please make sure you’re sending attributes for firstName, lastName, and email in SAML assertions.
Q: Do you support SP or IDP initiated login?
A: Yes, we support both. Users will SP login from our login page app.usertesting.com.
To use IDP initiated login, please set a RelayState to https://app.usertesting.com/sessions/from_idp
Q: What happens if my email domain is used for more than one UserTesting Account instance?
A: Since we enable and enforce Single Sign On based on email domains, users across all of your accounts will be required to log in with SSO.
Q: Do you support Just in Time provisioning?
A: We have a beta version of this feature available. Please reach out if you’re interested.
Q: Do you support SCIM provisioning?
A: Currently, we do not. All users are managed in the People Settings page within the app. Please note that if a user is removed from your IdP, they can not access the platform.