MaestroQA currently integrates with Okta, One Login, Jump Cloud, Duo, ADFS, Azure SAML, and Google SAML for JIT user provisioning and SSO. We also support integration with other SSO solutions so long as they support creation of custom applications. If you have questions on if your solution is supported, please reach out to your MaestroQA account representative.

The steps below outline what is required to establish SAML SSO based on your SSO provider. For providers that are not listed, there are generic credentials that can be entered. If the steps below do not cover your solution and you’re getting stuck, reach out to your MaestroQA account representative and they can assist with troubleshooting.

Within Okta, download the MaestroQA application (not the one containing Enterprise). Once downloaded, Navigate to Sign On -> SAML Signing Certificates -> Actions -> View IDP Metadata.

Once you have the XML, navigate to the SAML Integration page in MaestroQA (requires Admin access) and input your email domain, SAML provider, and attach the XML file.

Within OneLogin, download the MaestroQA application.

See the second step listed under "Okta" to check how to upload the XML into MaestroQA.

Within Jump Cloud, download the MaestroQA application.

See the second step listed under "Okta" to check how to upload the XML into MaestroQA.

Within Azure, follow the below steps:

Within Google SAML, follow the below steps:

NOTE - If you receive 403 errors when attempting to use "Sign in with SAML" with from the MaestroQA Log in page, ensure there are no spaces in your ACS URL and Entity ID!

Your provider will ask you for a few things from MaestroQA, which we provide in the setup process if non-standard, but for most SAML providers will be:

Different IDPs store records of your employees differently. The only attribute mapping we require is to make sure you’re sending email which you provide in the path to email attribute.

Once you’ve entered the required details, see the second step listed under "Okta" to check how to upload the XML into MaestroQA.

Once you complete the integration, you can test the integration by provisioning a user access to the MaestroQA application within your SSO solution. If a user is able to access MaestroQA via the SSO application, the integration is complete! If there are any issues or errors experienced, your MaestroQA account representative will help you troubleshoot.

Yes, we can configure your instance to only allow users to access the tool through the SSO solution. To do so, go to the Other Settings Page and scroll down until you see the following settings,

Once enabled like so, only access through the SSO solution will be possible for User Accounts. If you do not see these settings, contact your Customer Success Manager or Account Manager once the integration is completed to be provided access.

Only our integration with Okta supports native SCIM. You can read more about the setup here.

If you'd like to pass user information via SCIM for other solutions, you'll need to set up a separate API process. You can read more about the setup here.

We recommend enforcing inherent account lockout through SSO by enforcing that users can only log in via SSO. This means that you can control who has access to MaestroQA via your SSO solution. If you have a requirement to formally de-provision accounts in MaestroQA, this can be achieved via SCIM.

https://app.maestroqa.com/sso/metadata

If you see your SSO certificate is going to expire, you can follow the steps in this help article to upload the new certificate. You will need to disable the old integration prior to adding the new one.