Set up SSO
The person configuring SSO must have the following permissions:QA Wolf permissions
Identity provider permissions
The administrator must be able to:- Verify your organization domain, such as by adding a TXT record.
- Create applications in the identity provider.
- Configure SAML or OIDC authentication settings.
- Assign users or groups to applications.
Information needed for setup
Depending on your identity provider, you may need:- Identity provider metadata URL
- Issuer URL
- X.509 signing certificate
- ACS URL
- Audience / Entity ID
- Redirect or callback URL
Verify your email domain
You can only set up SSO for verified email domains. In other words, you need to prove you own the domain name. As the SSO Admin:- Sign in to QA Wolf.
- Navigate to Workspace Settings → Organization.
- In the Domain Verification section, click Add domain.
Open the SSO settings page
As the SSO Admin:- Sign in to QA Wolf.
- Navigate to Workspace Settings → Organization.
- Click Set up SSO.
Create an application in your identity provider
In your identity provider:- Create a new application for QA Wolf.
- Select SAML or OIDC authentication.
- Enter the configuration values provided in the QA Wolf SSO settings page.
| Setting | Description |
|---|---|
| ACS URL | Endpoint that receives authentication responses |
| Audience / Entity ID | Identifier used to verify the QA Wolf application |
| Redirect / Callback URL | URL users return to after authentication |
Enter identity provider details in QA Wolf
After creating the application in your identity provider, return to the QA Wolf SSO settings page and enter the details provided by your identity provider. Typical configuration fields include:| Setting | Description |
|---|---|
| Issuer URL | Unique identifier for your identity provider |
| Metadata URL | URL where QA Wolf retrieves your identity provider’s configuration |
| X.509 Certificate | Certificate used to verify tokens from your identity provider |
| Login URL | Endpoint where QA Wolf sends authentication requests |
Test login
Before enabling access for your entire organization, test SSO with a single admin user.
Testing with one admin helps catch configuration issues before enabling access for additional users.
Account matching
When a user signs in with SSO, QA Wolf matches the user to an existing account using their email address. The email provided by your identity provider must exactly match the email associated with the user’s QA Wolf account. If the email addresses do not match, the user may not be able to access the workspace. Before enabling SSO broadly, confirm that user email addresses match between your identity provider and QA Wolf.Sign in with SSO
Enter your email address and click Continue
Based on the domain name of the email they enter, users automatically begin the SSO flow for their identity provider.
Authenticate with the identity provider
Users authenticate using their organization’s identity provider.
Troubleshooting
I do not see the SSO setup page
Confirm that:- You have been granted the SSO Admin role by a user with the Membership Manager role.
- You signed out of QA Wolf and signed back in after your role was updated.
A user cannot sign in
Check that:- The user is assigned to the QA Wolf application.
- The user is signing in with the correct email address.
- The SSO configuration has been saved.
Authentication fails
Verify that the following values match between QA Wolf and your identity provider:- ACS URL
- Audience / entity ID
- Issuer
- Login URL
- Certificate