Introduction
MaestroQA currently integrates with Okta, One Login, Jump Cloud, Duo, ADFS, Azure SAML, and Google SAML for JIT user provisioning, SCIM, and SSO. We also support integration with other SSO solutions so long as they support creation of custom applications. If you have questions on if your solution is supported, please reach out to your MaestroQA account representative.
The steps below outline what is required to establish SAML SSO based on your SSO provider. For providers that are not listed, there are generic credentials that can be entered. If the steps below do not cover your solution and you’re getting stuck, reach out to your MaestroQA account representative and they can assist with troubleshooting.
Configuring the Initial Connection
Okta
Within Okta, download the MaestroQA application (not the one containing Enterprise). Once downloaded, Navigate to Sign On -> SAML Signing Certificates -> Actions -> View IDP Metadata. Share the web URL (or the full XML file) with your MaestroQA account representative.
OneLogin
Within OneLogin, download the MaestroQA application. Provide the XML Metadata web URL (or the full XML file) to your MaestroQA account representative.
Jump Cloud
Within Jump Cloud, download the MaestroQA application. Provide the XML Metadata web URL (or the full XML file) to your MaestroQA account representative.
Azure
Within Azure, follow the below steps:
Select Create your own application
Name the application (MaestroQA is recommended)
Select the Integrate any other application you don’t find in the gallery (Non-gallery) option
Under Getting Started, select 2. Set up single sign on
Select SAML
In Basic SAML Configuration, enter the following information (no other fields are required)
Identifier (Entity ID) - https://app.maestroqa.com/
EU based instances - https://app.eu.maestroqa.com/
Reply URL - https://app.maestroqa.com/sso/acs
EU based instances - https://app.eu.maestroqa.com/sso/acs
In SAML Signing Certificate, copy the App Federation Metadata URL and send this to your MaestroQA account representative
Google SAML
Within Google SAML, follow the below steps:
Within the Admin view, Select Add app -> Add custom SAML app
Within App Details, name the application (MaestroQA is recommended)
Your MaestroQA contact can provide you with a logo if you'd like to set an App Icon
Within Service Provider Details, enter the following information
ACS URL: https://app.maestroqa.com/sso/acs
EU based instances - https://app.eu.maestroqa.com/sso/acs
Entity ID: https://app.maestroqa.com/sso/metadata
EU based instances - https://app.eu.maestroqa.com/sso/metadata
Name ID format: EMAIL
Name ID: Basic Information > Primary Email
Within Attribute mapping, if It requires you to enter an attribute before proceeding, add a simple one (like first name)
On the page for the new application, select Download Metadata. On the ensuing screen, select Download Metadata again and send this to your MaestroQA account representative
All Other SSO Providers
Your provider will ask you for a few things from MaestroQA, which we provide in the setup process if non-standard, but for most SAML providers will be:
Single Sign On URL: https://app.maestroqa.com/sso/acs
EU based instances - https://app.eu.maestroqa.com/sso/acs
Audience URL: https://app.maestroqa.com/sso/acs
EU based instances - https://app.eu.maestroqa.com/sso/acs
Recipient URL (optional): https://app.maestroqa.com/sso/acs
EU based instances - https://app.eu.maestroqa.com/sso/acs
Destination URL (optional): https://app.maestroqa.com/sso/acs
EU based instances - https://app.eu.maestroqa.com/sso/acs
Different IDPs store records of your employees differently. The only attribute mapping we require is to make sure you’re sending email which you provide in the path to email attribute.
Once you’ve entered the required details, provide the XML Metadata web URL to your MaestroQA account representative.
Provider Agnostic Notes
Make sure you’ve enabled “send all attributes” if applicable for your SSO provider
No RelayState is required. This is also sometimes called Target
Testing the Integration
Once you’ve shared the XML Metadata web URL (or full file) with your MaestroQA account representative, they will work with the MaestroQA engineering team to complete the integration. Once that is completed, they will reach back out and instruct you to test the integration by provisioning a user access to the MaestroQA application within your SSO solution. If a user is able to access MaestroQA via the SSO application, the integration is complete! If there are any issues or errors experienced, your MaestroQA account representative will help you troubleshoot.
SAML Integration FAQs
Do you support limiting MaestroQA access to SSO only?
Yes, we can configure your instance to only allow users to access the tool through the SSO solution. Your MaestroQA account representative will enable this on your behalf once the integration is complete.
Do you support automatic user de-provisioning?
We recommend enforcing inherent account lockout through SSO by enforcing that users can only log in via SSO. This means that you can control who has access to MaestroQA via your SSO solution. If you have a requirement to formally de-provision accounts in MaestroQA, this can be achieved via SCIM. Contact your MaestroQA account representative if you are interested in setting up SCIM workflows.