The Sauce Labs Cookbook

Sauce Headless

Front End Performance Testing

Insights

External Resources

More Info


Page tree
Skip to end of metadata
Go to start of metadata

Sauce Labs supports Identity Provider (Idp)-initiated Single Sign-On (SSO). This feature allows customers' authorized employees to access Sauce Labs in a moderated fashion, as an alternative to using credentials. SSO is available to invoiced accounts, and can only be implemented by the organization admin of the account. If you are an invoice customer, the following sections will guide you on how to set up SSO.  

What You'll Need

ENTERPRISE PLANS ONLY

  • An enterprise license for Sauce Labs

  • Organization admin access (see User Roles for more information)
  • To export the SAML metadata file for your identity provider
  • To be able to use IdP-initiated SAML for this feature

SAML2.0 Metadata File

Before you can set up SSO, you'll need to export the SAML metadata file for your identity provider and upload it to Sauce Labs when you're configuring SSO.

The SAML metadata file is an XML file that is generated by your IdP and contains information required to establish the link between it and Sauce Labs SSO. The admin for your IdP should be able to provide this file for you. The EntityID attribute must be included in your XML file, set to the Issuer URL (e.g., https://www.yourcompany.com/sso-prod), for the integration to work correctly.

SAML2.0 SAML Response Payload

The following attributes must be included in your SAML assertion, with the expected values, for the integration to work correctly.

Attributes

Expected Value

Example

IssuerURL identifying your organizationhttps://www.yourcompany.com/sso-prod
NameIDUser's email addressjohn.smith@yourcompany.com

NameID Specification

By default, many IdPs don't set the NameID attribute to be the email address of the user. If the value for this attribute is something other than an email address, you can still integrate your IdP with Sauce SSO.

We recommend setting it to the email address, as this makes it easier to manage through the IdP. When the SSO username is created, only the section preceding the @ is used. For example, from the email john.smith@yourcompany.com, only john.smith would be used.

If the saml:NameID field contains only a user name and no @ symbol, then the SSO username will be based on your Domain Name. If your domain was sauce and the field value was john.smith, the SSO username would be sso-sauce-john.smith.

AudienceRestriction

This is a required attribute within the SAML assertion that indicates the specific users the assertion is intended for. It must be equal to the value of entityID from SauceLabs metadata based on your data center. For details, see the Single Sign-On Configuration section in Data Center Endpoints.

Configuration Information for SSO

The Signing/Encryption Certificate and Entity AssertionConsumeURLs required for configuring Sauce Labs SSO vary based on your data center. For details, see Data Center Endpoints. Here are some things to be aware of:

  • The Assertion/Issuer Name is Sauce Labs
  • Sauce Labs does not provide a staging environment for pre-integration testing of SSO
  • Single log-out is not supported, but all sessions time out after 30 minutes of inactivity