All Collections
Integrations in MaestroQA
SAML SSO (Single Sign On) Integration Details
SAML SSO (Single Sign On) Integration Details
Robby Dunigan avatar
Written by Robby Dunigan
Updated over a week ago

Introduction

MaestroQA currently integrates with Okta, One Login, Jump Cloud, Duo, ADFS, Azure SAML, and Google SAML for JIT user provisioning and SSO. We also support integration with other SSO solutions so long as they support creation of custom applications. If you have questions on if your solution is supported, please reach out to your MaestroQA account representative.

The steps below outline what is required to establish SAML SSO based on your SSO provider. For providers that are not listed, there are generic credentials that can be entered. If the steps below do not cover your solution and you’re getting stuck, reach out to your MaestroQA account representative and they can assist with troubleshooting.

Configuring the Initial Connection

Okta

Within Okta, download the MaestroQA application (not the one containing Enterprise). Once downloaded, Navigate to Sign On -> SAML Signing Certificates -> Actions -> View IDP Metadata. Share the web URL (or the full XML file) with your MaestroQA account representative.

OneLogin

Within OneLogin, download the MaestroQA application. Provide the XML Metadata web URL (or the full XML file) to your MaestroQA account representative.

Jump Cloud

Within Jump Cloud, download the MaestroQA application. Provide the XML Metadata web URL (or the full XML file) to your MaestroQA account representative.

Azure

Within Azure, follow the below steps:

  1. Select Create your own application

  2. Name the application (MaestroQA is recommended)

    1. Select the Integrate any other application you don’t find in the gallery (Non-gallery) option

  3. Under Getting Started, select 2. Set up single sign on

  4. Select SAML

  5. In Basic SAML Configuration, enter the following information (no other fields are required)

    1. Identifier (Entity ID) - https://app.maestroqa.com/ AND https://app.maestroqa.com/sso/metadata

      1. EU based instances - https://app.eu.maestroqa.com/ AND https://app.eu.maestroqa.com/sso/metadata

    2. Reply URL - https://app.maestroqa.com/sso/acs

      1. EU based instances - https://app.eu.maestroqa.com/sso/acs

  6. In SAML Signing Certificate, copy the App Federation Metadata URL and send this to your MaestroQA account representative

Google SAML

Within Google SAML, follow the below steps:

  1. Within the Admin view, Select Add app -> Add custom SAML app

  2. Within App Details, name the application (MaestroQA is recommended)

    1. Your MaestroQA contact can provide you with a logo if you'd like to set an App Icon

  3. Within Service Provider Details, enter the following information

    1. ACS URL: https://app.maestroqa.com/sso/acs

      1. EU based instances - https://app.eu.maestroqa.com/sso/acs

    2. Entity ID: https://app.maestroqa.com/sso/metadata

      1. EU based instances - https://app.eu.maestroqa.com/sso/metadata

    3. Name ID format: EMAIL

    4. Name ID: Basic Information > Primary Email

  4. Within Attribute mapping, if It requires you to enter an attribute before proceeding, add a simple one (like first name)

  5. On the page for the new application, select Download Metadata. On the ensuing screen, select Download Metadata again and send this to your MaestroQA account representative

All Other SSO Providers

Your provider will ask you for a few things from MaestroQA, which we provide in the setup process if non-standard, but for most SAML providers will be:

Different IDPs store records of your employees differently. The only attribute mapping we require is to make sure you’re sending email which you provide in the path to email attribute.

Once you’ve entered the required details, provide the XML Metadata web URL to your MaestroQA account representative.

Provider Agnostic Notes

  • Make sure you’ve enabled “send all attributes” if applicable for your SSO provider

  • No RelayState is required. This is also sometimes called Target

Testing the Integration

Once you’ve shared the XML Metadata web URL (or full file) with your MaestroQA account representative, they will work with the MaestroQA engineering team to complete the integration. Once that is completed, they will reach back out and instruct you to test the integration by provisioning a user access to the MaestroQA application within your SSO solution. If a user is able to access MaestroQA via the SSO application, the integration is complete! If there are any issues or errors experienced, your MaestroQA account representative will help you troubleshoot.

SAML Integration FAQs

Do you support limiting MaestroQA access to SSO only?

Yes, we can configure your instance to only allow users to access the tool through the SSO solution. To do so, go to the Other Settings Page and scroll down until you see the following settings,

Once enabled like so, only access through the SSO solution will be possible for User Accounts. If you do not see these settings, contact your Customer Success Manager or Account Manager once the integration is completed to be provided access.

Do your integrations with SSO Solutions inherently support SCIM?

Only our integration with Okta supports native SCIM. You can read more about the setup here.

If you'd like to pass user information via SCIM for other solutions, you'll need to set up a separate API process. You can read more about the setup here.

Do you support automatic user de-provisioning?

We recommend enforcing inherent account lockout through SSO by enforcing that users can only log in via SSO. This means that you can control who has access to MaestroQA via your SSO solution. If you have a requirement to formally de-provision accounts in MaestroQA, this can be achieved via SCIM.

Can you share the MaestroQA Metadata XML file?

https://app.maestroqa.com/sso/metadata

What happens when the SSO certificate is due to expire?

If you see your SSO certificate is going to expire reach out to your Customer Success Manager, Account Manager or via the Live Chat and provide a new XML Metadata URL or file for us to re-point the configuration against.

Did this answer your question?