Skip to main content
What you’ll learn
  • How to connect your IdP with OIDC or SAML 2.0
  • How the slug builds your sign-in URLs
  • How to enforce SSO and set a default role for new users
  • How to provision users automatically with SCIM
Single sign-on connects your organization to your company identity provider (Okta, Azure AD, Google Workspace, or any OIDC / SAML 2.0 IdP), so your team signs in with their existing credentials. You configure it per organization under Settings → Single Sign-On. No engineering work is needed.

Quick Reference

2 hosts to keep straight

TestDino serves its dashboard and its API on different hostnames, and the split matters for SSO:
The most common setup failure is registering an app.testdino.com URL in your IdP. Every IdP-facing URL uses api.testdino.com. Use them exactly as written, with no trailing slash and no typos.
On a dedicated or custom domain, replace api.testdino.com with the API host your TestDino account team gave you.

Before you start

  • An Owner or Admin account. Only Owners and Admins see the Single Sign-On tab.
  • SSO enabled on your plan. The tab appears only for SSO-entitled organizations, so contact support@testdino.com if it is missing.
  • IdP admin access to create an app integration.
  • An organization key you pick in TestDino, such as acme.

How it fits together

SSO coordinates 2 systems that must agree on the same URLs:
  1. Your IdP: the app and who may use it.
  2. TestDino (Settings → Single Sign-On): the IdP address, signing material, and policy.
The link is your organization key (lowercase letters, digits, and hyphens, such as acme). Pick it first and use the exact same value on both sides. TestDino builds every URL from it.
The callback or ACS URL you register in your IdP must match the organization key saved in TestDino, with no trailing slash and no typos. A mismatch is the most common reason sign-in fails. Pick the key first, then use it on both sides.

Configure SSO

1

Open the SSO settings

Go to Settings → Single Sign-On. You see 2 cards:
  • Single sign-on holds the protocol and IdP config.
  • SCIM provisioning holds the token. It stays disabled until you save an SSO config.
No tab means you are not an admin, or the organization is not SSO-entitled.
2

Pick a protocol and organization key

Enter your organization key before you set up the IdP. It becomes part of every sign-in URL, so changing it later breaks existing links.
3

Configure your identity provider

Create an app in your IdP, copy its values into TestDino, then save. The fields below use Okta as the example. Azure AD and Google Workspace use the same fields under different menu names.
In your IdP, create an OIDC web app with the Authorization Code grant type, set the sign-in redirect URI, and assign your users.Okta path: Applications → Create App Integration → OIDC / Web Application, set the redirect URI, then open Assignments and save.Set the redirect URI to:
In TestDino, paste the Issuer, Client ID, and Client secret. The secret is encrypted at rest and never shown again.
If Okta returns “Policy evaluation failed”, add an access policy: Security → API → Authorization Servers → default → Access Policies, then add a policy and rule that allows the Authorization Code grant for your assigned users.
4

Set enforcement and a default role

  • Require SSO for these domains blocks password sign-in for any email on those domains and sends those users to your IdP. At least one domain is required when this is on.
  • Default role is the role assigned on a user’s first SSO sign-in. Member is typical, and Admins can change it later.

Save and test

Click Save changes. The status badge shows Configured · OIDC or Configured · SAML. Test in an incognito window:
1

Start the sign-in

Open https://app.testdino.com/auth/sso, enter a work email on an SSO-enabled domain, and click Continue. The direct link https://api.testdino.com/api/auth/sso/<your-org-key>/login also works and skips email discovery.
2

Sign in at your IdP

Complete the login with your IdP credentials.
3

Confirm the result

You return signed in, and the user appears in your organization.
Just-in-time (JIT) provisioning: The first SSO sign-in creates the account, assigns the default role, and adds it to the matching-domain organization. Later sign-ins reuse the same account.

How your team signs in

Once SSO is active, your team has 3 ways to sign in:
  • Email discovery at https://app.testdino.com/auth/sso. The user enters their work email under Continue with SSO, and TestDino routes them to the matching organization’s IdP. The Continue with SSO button on the main login page (app.testdino.com/auth/login) opens this same page.
  • IdP app tile in your identity provider (IdP-initiated).
  • Direct link to https://api.testdino.com/api/auth/sso/<your-org-key>/login, which skips email discovery and starts your org’s IdP login.

Set up SCIM provisioning

SCIM provisions TestDino users from your IdP automatically: create, update, and deactivate. Save an SSO config first, then generate a token in the SCIM card. The token is shown once. Configure your IdP’s provisioning with these values: In Okta, a custom app does not show a SCIM toggle. Add the prebuilt SCIM 2.0 Test App (Header Auth) from the catalog, open Provisioning → Configure API Integration, enable it, enter the base URL and token, test the credentials, then enable Create, Update, and Deactivate under “To App” and assign users.

What each SCIM action does

Every change you make in your IdP maps to one action in TestDino. The table below shows what each one does.

Day-2 operations

Once SSO is live, these are the routine tasks for keeping it running and rotating credentials.

Troubleshooting

Most SSO failures trace to a mismatch between your IdP and the values saved in TestDino. Match your error message to the row below.
Seat limits apply to new users only. A net-new SSO sign-in or SCIM create is blocked when the org is at its limit, but existing members signing in again are never blocked.

Users, Roles & Permissions

Understand the roles a new SSO user can receive.

Organization Settings

Manage your organization profile and ownership.

Security & Compliance

Review how TestDino handles credentials and customer data.

Generate API Keys

Create keys for CLI uploads and integrations.