Appearance
Single Sign-On (SSO) Configuration
Configure enterprise Single Sign-On authentication for BrowserStack Code Quality (Embold) to enable secure, centralized user authentication and seamless integration with your organization's identity infrastructure.
Overview
Single Sign-On (SSO) allows users to authenticate with BrowserStack Code Quality using their existing corporate credentials, eliminating the need for separate platform-specific passwords. This enhances security, improves user experience, and simplifies user management across your organization.
Key Benefits
- Enhanced Security: Centralized authentication and password policies
- Improved User Experience: One-click login with corporate credentials
- Simplified Management: Automated user provisioning and de-provisioning
- Compliance Ready: Meet enterprise security and audit requirements
- Reduced IT Overhead: Streamlined user lifecycle management
Supported SSO Methods
BrowserStack Code Quality supports multiple enterprise-grade SSO authentication methods:
SAML 2.0 SSO
Recommended for most enterprise environments
- Industry-standard enterprise SSO protocol
- Compatible with major Identity Providers (Okta, Azure AD, OneLogin, Ping Identity)
- Supports attribute mapping and group-based role assignment
- Full encryption and digital signature support
View Complete SAML Configuration Guide →
LDAP Integration
Ideal for Active Directory environments
- Direct integration with Active Directory and LDAP servers
- Automatic user synchronization and group mapping
- Support for nested groups and organizational units
- Configurable connection pooling and failover
View Complete LDAP Configuration Guide →
OAuth 2.0
For cloud-based identity providers
- Support for modern OAuth 2.0 flows
- Integration with cloud identity providers
- Token-based authentication with refresh capabilities
- Perfect for distributed and cloud-native environments
Enterprise SSO Features
Automatic User Provisioning
- Just-in-Time (JIT) Provisioning: Automatically create users on first login
- Attribute Mapping: Map IdP attributes to user profiles (email, name, department)
- Group Synchronization: Automatically assign roles based on IdP groups
- User Deactivation: Disable access when users are removed from IdP
Advanced Access Control
- Role-Based Access Control (RBAC): Fine-grained permission management
- Project-Level Permissions: Control access to specific projects and repositories
- Group-to-Role Mapping: Automatic role assignment based on IdP groups
- Multi-Level Authorization: Support for global and project-specific roles
️ Security & Compliance
- Multi-Factor Authentication (MFA): Inherit MFA policies from your IdP
- Session Management: Configurable session timeouts and policies
- Audit Logging: Complete authentication and authorization audit trails
- Certificate Management: Support for custom certificates and key rotation
SSO Configuration Process
Step 1: Choose Your SSO Method
Select the appropriate SSO method based on your organization's infrastructure:
| Method | Best For | Requirements | Setup Complexity |
|---|---|---|---|
| SAML 2.0 | Enterprise IdPs (Okta, Azure AD, OneLogin) | IdP admin access, SSL certificates | Medium |
| LDAP | Active Directory, OpenLDAP environments | LDAP server access, network connectivity | Low |
| OAuth 2.0 | Cloud providers, modern web applications | OAuth app registration | Medium |
Step 2: Prepare Your Identity Provider
Configure your Identity Provider with BrowserStack Code Quality details:
For SAML Configuration:
- Service Provider (SP) Entity ID:
https://your-domain.com/saml/metadata - Assertion Consumer Service (ACS) URL:
https://your-domain.com/saml/acs - Single Logout Service URL:
https://your-domain.com/saml/sls - Name ID Format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Required Attribute Mapping:
xml
<!-- Essential User Attributes -->
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<!-- Group/Role Attributes (Optional) -->
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups">Step 3: Configure BrowserStack Code Quality
Enable and configure SSO in your platform settings:
Navigate to Admin Settings
- Login as Account Administrator
- Go to Settings → Authentication → SSO Configuration
Upload IdP Configuration
- Upload IdP metadata XML file (SAML)
- Or configure LDAP connection strings
- Test connectivity to IdP
Configure User Attribute Mapping
yamluser_attributes: email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" first_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" last_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" display_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"Set Up Role Mapping (Optional but Recommended)
yamlrole_mapping: # Global Roles "code_quality_account_admin": "Account Administrator" "code_quality_user_admin": "User Administrator" "code_quality_project_admin": "Project Administrator" # Project-Specific Roles (Dynamic) "code_quality_manager_{project_name}": "Manager" "code_quality_analyser_{project_name}": "Analyser" "code_quality_explorer_{project_name}": "Explorer"
Step 4: Test and Validate SSO Configuration
Comprehensive testing ensures a smooth SSO deployment:
Pre-Production Testing:
- Connection Test: Verify IdP connectivity and metadata exchange
- User Authentication Test: Test login with a non-administrative user
- Attribute Mapping Test: Confirm user attributes populate correctly
- Role Assignment Test: Verify group-to-role mapping works as expected
- Session Management Test: Test logout and session timeout behavior
Production Validation Checklist:
- [ ] SSO login redirects work correctly
- [ ] User profiles populate with correct information
- [ ] Group-based role assignments function properly
- [ ] Existing user accounts merge correctly with SSO identities
- [ ] Logout processes complete successfully
- [ ] Audit logs capture authentication events
Common SSO Integration Scenarios
Azure Active Directory Integration
Complete setup guide for Microsoft Azure AD SAML integration:
- App registration in Azure portal
- Enterprise application configuration
- Conditional access policies
- Group claims configuration
- Multi-tenant considerations
Okta Integration
Step-by-step Okta SAML application setup:
- Okta app creation and configuration
- Attribute statement configuration
- Group attribute setup
- User assignment and provisioning
- Testing and troubleshooting
🟢 Active Directory / LDAP
Direct Active Directory integration via LDAP:
- LDAP connection configuration
- User DN and search base setup
- Group membership synchronization
- Nested group support
- Connection pooling and security
Troubleshooting SSO Issues
Common Authentication Problems
Issue: "SAML Response Validation Failed"
- Verify certificate validity and expiration
- Check clock synchronization between systems
- Validate SAML assertion signatures
- Review attribute mapping configuration
Issue: "User Not Found After SSO Login"
- Confirm JIT provisioning is enabled
- Verify email attribute mapping
- Check group membership requirements
- Review user blocking/activation settings
Issue: "Incorrect Role Assignment"
- Validate group attribute transmission from IdP
- Review role mapping configuration
- Check group name format and case sensitivity
- Verify project-specific role templates
Debugging Tools and Logs
- Enable SAML debug logging for detailed traces
- Use browser developer tools to inspect SAML requests/responses
- Check IdP logs for authentication failures
- Review platform audit logs for user provisioning events
Next Steps
After successfully configuring SSO:
- Review User Roles & Permissions - Understand the permission model
- Configure Quality Gates - Set up automated quality enforcement
- Create Dashboards - Build quality monitoring dashboards
- Set Up CI/CD Integration - Connect with your development pipeline
Need Help? Contact your system administrator or refer to our Advanced Configuration Guide for additional SSO customization options.
- Check group membership
- Roll out to wider user base
User Provisioning
Manual Provisioning
- Create users manually
- Assign roles
- Set attributes
Automatic Provisioning (JIT)
- Users created on first login
- Attributes sourced from IdP
- Group-based role assignment
- Automatic attribute updates
Group Mapping
Map external groups to internal roles:
yaml
group_mapping:
# Global roles
"code_quality_account_admin": "Account Administrator"
"code_quality_user_admin": "User Administrator"
# Project-level roles
"code_quality_project_{project}_admin": "Project Administrator"
"code_quality_project_{project}_manager": "Manager"Session Management
Configure session behavior:
- Session timeout – Auto logout after inactivity
- Remember me – Extended sessions
- Force re-auth – Require fresh authentication
- Concurrent sessions – Multiple login handling
Security Considerations
Best Practices
- Use HTTPS only
- Enable assertion and transport encryption
- Validate signatures
- Implement single logout
- Rotate keys regularly
Monitoring
- Track login attempts
- Monitor failures
- Audit access
- Review permissions
Troubleshooting
Login Fails
- Check IdP configuration
- Verify certificates
- Review attribute mapping
- Check network connectivity
Attributes Missing
- Verify IdP sends attributes
- Check attribute mapping
- Review SAML response
- Update configuration
Access Denied
- Check group membership
- Verify role mapping
- Review permissions
- Update user attributes
Infinite Redirect
- Clear browser cache
- Check callback URLs
- Verify session cookies
- Review network logs
Migration
From Local Auth to SSO
- Set up SSO configuration.
- Test with an admin account.
- Migrate users gradually.
- Update documentation.
- Disable local auth (optional).
Between SSO Methods
- Configure new SSO.
- Test alongside existing.
- Migrate user mappings.
- Switch over.
- Remove old configuration.