How to Set Up Self-Service Single Sign-On (SSO)

 

At a Glance

Self-service Single Sign-On (SSO) allows you to set up and manage your SSO settings by logging in to UserTesting with your corporate credentials.

 

Centrally manage your company’s UserTesting account to ensure that the right team members have the proper access to the UserTesting platform. Self-service Single Sign-On eliminates security risks associated with multiple logins. 

How do I set up my SSO?

1. Navigate to the Security page under Settings. Ensure you have the metadata from your identity provider and access to troubleshooting resources from your IT security team before you begin. Then click Set Up

SSO_1.png

2. Confirm your company’s email domain, which is the same as the domain you used to sign in. Click Confirm.

sso_2.png

3. Next, select an identity protocol to set up your SSO: SAML or OIDC.

SSO_3.png

If you select SAML, you will need to enter your organization’s identity provider’s Metadata URL and XML or upload an XML metadata file. You might need to reach out to your IT or Security team to obtain this metadata.

 

Please note: In rare cases, your IT or Security team might need UserTesting to provide our metadata first, before you can create your own. In these cases, feel free to use fake or dummy metadata for us (for example Audience URI = URI, ACS URL = https://url), and then update it later on with the values we provide.

 

4. If you select SAML, you will have three options for entering the required information. With Option 1, you can provide a URL for the location of the Metadata XML file.

 

sso_3.png

 

With Option 2, you can paste the Metadata XML directly, or upload a Metadata XML file from your computer.

sso_4.png

 

With Option 3, you can provide the required fields manually. If you upload a certificate, it must be in a .pem or .crt file format. 

sso_5.png

Please set your relay state (startURL) to https://app.usertesting.com/sessions/from_idp if you want to enable IDP initiated login. The relay state should be encoded in the SSO URL.

 

If you select OIDC, you will need to enter the following metadata components from your organization’s identity provider: well-known URL, well-known file, client ID, and client secret.

sso_6.png

5. In the last step, prepare your organization’s identity provider for SSO setup. In your organization’s identity provider, set Name ID format to EmailAddress. In SAML assertions, include first name, last name, and email address as attributes. Then, copy and paste the metadata components on the Copy to identity provider page into respective fields in your organization’s identity provider. Click Finish when you are done.

Note: You can also download the metadata as an XML file for sharing.

sso_7.png

6. The Security page will update to show that SSO has been activated.

sso_8.png

7. If you need to disable SSO for any reason, select the toggle in the Single Sign-On (SSO) area.

sso_9.png

As a best practice, we recommend testing SSO in a separate private browser window, so you can still disable it if login is unsuccessful and we need to troubleshoot further. If you're having trouble setting up SSO, we can set it up for you manually. Send your request to Support via this form with the subject “SSO Request.”

When SSO is enabled, all users with the email domain(s) you set up must log in using the Login with SSO button.

 

image6.png

 

Frequently Asked Questions

Is just-in-time provisioning supported?

Yes, we have a beta version of JIT (just in time provisioning) available. If it’s enabled, anytime a brand new user tries to log in, we automatically provision them, add them to your account’s General workspace, and log them in.Please contact Support if you have further questions about this feature.

How is the access managed within UserTesting for end users?

You can manage user permissions and access in our application. We don’t support SCIM provisioning, or managing access thru SAML assertions yet.

Can I add more domains to my SSO configuration?

We’ll use a routing rule to enforce SSO login, and by default we use your own email domain. However, you can reach out to our Support team to add more domains as needed.

 

 

 

 

 

 

 

 

Was this article helpful?
3 out of 3 found this helpful