Sauce Labs supports Identity Provider (Idp)-initiated Single Sign-On (SSO). This feature allows customers' authorized employees to access Sauce Labs in a moderated fashion, as an alternative to using credentials. SSO is available to invoiced accounts, and can only be implemented by the organization admin of the account. If you are an invoice customer, the following sections will guide you on how to set up SSO.
What You'll Need
An enterprise license for Sauce Labs
- Organization admin access (see User Roles for more information)
- To export the SAML metadata file for your identity provider
- To be able to use IdP-initiated SAML for this feature
SAML2.0 Metadata File
Before you can set up SSO, you'll need to export the SAML metadata file for your identity provider and upload it to Sauce Labs when you're configuring SSO.
The SAML metadata file is an XML file that is generated by your IdP and contains information required to establish the link between it and Sauce Labs SSO. The admin for your IdP should be able to provide this file for you. The EntityID attribute must be included in your XML file, set to the Issuer URL (e.g.,), for the integration to work correctly.
SAML2.0 SAML Response Payload
The following attributes must be included in your SAML assertion, with the expected values, for the integration to work correctly.
|URL identifying your organization|
|User's email address||j|
By default, many IdPs don't set the
NameID attribute to be the email address of the user. If the value for this attribute is something other than an email address, you can still integrate your IdP with Sauce SSO.
We recommend setting it to the email address, as this makes it easier to manage through the IdP. When the SSO username is created, only the section preceding the
@ is used. For example, from the email
john.smith would be used.
saml:NameID field contains only a user name and no
@ symbol, then the SSO username will be based on your Domain Name. If your domain was
sauce and the field value was
john.smith, the SSO username would be
This is a required attribute within the SAML assertion that indicates the specific users the assertion is intended for. It must be equal to the value of entityID from SauceLabs metadata based on your data center. For details, see the Single Sign-On Configuration section in Data Center Endpoints.
Configuration Information for SSO
The Signing/Encryption Certificate and Entity AssertionConsumeURLs required for configuring Sauce Labs SSO vary based on your data center. For details, see Data Center Endpoints. Here are some things to be aware of:
- The Assertion/Issuer Name is Sauce Labs
- Sauce Labs does not provide a staging environment for pre-integration testing of SSO
- Single log-out is not supported, but all sessions time out after 30 minutes of inactivity