What you’ll learn
- How to connect your IdP with OIDC or SAML 2.0
- How the slug builds your sign-in URLs
- How to enforce SSO and set a default role for new users
- How to provision users automatically with SCIM
Quick Reference
2 hosts to keep straight
TestDino serves its dashboard and its API on different hostnames, and the split matters for SSO:
On a dedicated or custom domain, replace
api.testdino.com with the API host your TestDino account team gave you.
Before you start
- An Owner or Admin account. Only Owners and Admins see the Single Sign-On tab.
- SSO enabled on your plan. The tab appears only for SSO-entitled organizations, so contact support@testdino.com if it is missing.
- IdP admin access to create an app integration.
- An organization key you pick in TestDino, such as
acme.
How it fits together
SSO coordinates 2 systems that must agree on the same URLs:- Your IdP: the app and who may use it.
- TestDino (Settings → Single Sign-On): the IdP address, signing material, and policy.
acme). Pick it first and use the exact same value on both sides. TestDino builds every URL from it.
Configure SSO
1
Open the SSO settings
Go to Settings → Single Sign-On. You see 2 cards:
- Single sign-on holds the protocol and IdP config.
- SCIM provisioning holds the token. It stays disabled until you save an SSO config.
2
Pick a protocol and organization key
Enter your organization key before you set up the IdP. It becomes part of every sign-in URL, so changing it later breaks existing links.
3
Configure your identity provider
Create an app in your IdP, copy its values into TestDino, then save. The fields below use Okta as the example. Azure AD and Google Workspace use the same fields under different menu names.
- OIDC
- SAML 2.0
In your IdP, create an OIDC web app with the Authorization Code grant type, set the sign-in redirect URI, and assign your users.Okta path: Applications → Create App Integration → OIDC / Web Application, set the redirect URI, then open Assignments and save.Set the redirect URI to:
In TestDino, paste the Issuer, Client ID, and Client secret. The secret is encrypted at rest and never shown again.
If Okta returns “Policy evaluation failed”, add an access policy: Security → API → Authorization Servers → default → Access Policies, then add a policy and rule that allows the Authorization Code grant for your assigned users.
4
Set enforcement and a default role
- Require SSO for these domains blocks password sign-in for any email on those domains and sends those users to your IdP. At least one domain is required when this is on.
- Default role is the role assigned on a user’s first SSO sign-in. Member is typical, and Admins can change it later.
Save and test
Click Save changes. The status badge shows Configured · OIDC or Configured · SAML. Test in an incognito window:1
Start the sign-in
Open
https://app.testdino.com/auth/sso, enter a work email on an SSO-enabled domain, and click Continue. The direct link https://api.testdino.com/api/auth/sso/<your-org-key>/login also works and skips email discovery.2
Sign in at your IdP
Complete the login with your IdP credentials.
3
Confirm the result
You return signed in, and the user appears in your organization.
How your team signs in
Once SSO is active, your team has 3 ways to sign in:- Email discovery at
https://app.testdino.com/auth/sso. The user enters their work email under Continue with SSO, and TestDino routes them to the matching organization’s IdP. The Continue with SSO button on the main login page (app.testdino.com/auth/login) opens this same page. - IdP app tile in your identity provider (IdP-initiated).
- Direct link to
https://api.testdino.com/api/auth/sso/<your-org-key>/login, which skips email discovery and starts your org’s IdP login.
Set up SCIM provisioning
SCIM provisions TestDino users from your IdP automatically: create, update, and deactivate. Save an SSO config first, then generate a token in the SCIM card. The token is shown once. Configure your IdP’s provisioning with these values:
In Okta, a custom app does not show a SCIM toggle. Add the prebuilt SCIM 2.0 Test App (Header Auth) from the catalog, open Provisioning → Configure API Integration, enable it, enter the base URL and token, test the credentials, then enable Create, Update, and Deactivate under “To App” and assign users.
What each SCIM action does
Every change you make in your IdP maps to one action in TestDino. The table below shows what each one does.Day-2 operations
Once SSO is live, these are the routine tasks for keeping it running and rotating credentials.Troubleshooting
Most SSO failures trace to a mismatch between your IdP and the values saved in TestDino. Match your error message to the row below.Seat limits apply to new users only. A net-new SSO sign-in or SCIM create is blocked when the org is at its limit, but existing members signing in again are never blocked.
Related
Users, Roles & Permissions
Understand the roles a new SSO user can receive.
Organization Settings
Manage your organization profile and ownership.
Security & Compliance
Review how TestDino handles credentials and customer data.
Generate API Keys
Create keys for CLI uploads and integrations.