This guide walks you through configuring SAML-based Single Sign-On between Okta and BetaTesting. By the end of this process, your team members will be able to log in to BetaTesting using their Okta credentials.
Looking for SCIM provisioning too? If you also want automated user provisioning, complete this SSO guide first, then follow our Set Up SCIM with Okta guide. SCIM requires a SAML-based integration in Okta.
Prerequisites
Administrator access to your Okta admin console
An Enterprise plan on BetaTesting with the SSO feature
Your BetaTesting account manager's contact information
Your company has a subdomain set in BetaTesting
Overview
The setup involves a back-and-forth exchange between you and BetaTesting:
You create a SAML app in Okta and share the metadata with BetaTesting
BetaTesting configures the connection and provides you with two values to complete the setup
You update your Okta app with those values
Both sides test the login
Step 1: Create a SAML Application in Okta
Log in to your Okta admin console
Go to Applications > Applications
Click Create App Integration
Select SAML 2.0 as the sign-in method
Click Next
General Settings
Enter an App name (e.g.,
BetaTesting SSO)Optionally upload an app logo
Click Next
SAML Settings
For the initial setup, you'll use placeholder values that BetaTesting will replace later. If your account manager has already provided your ACS URL and Entity ID, enter those instead and you can skip Step 4 below (Update Your Okta App with BetaTesting's Values).
Enter these temporary values:
Single sign-on URL:
https://placeholder.betatesting.com(you will update this later in the process in Step 4 - Update Your Okta App with BetaTesting's Values)Check Use this for Recipient URL and Destination URL
Audience URI (SP Entity ID):
https://placeholder.betatesting.com(you will update this later in the process in Step 4 - Update Your Okta App with BetaTesting's Values)Name ID format: Unspecified
Application username: Email
Feedback
On the Feedback tab, just click Finish. You will be redirected to the newly created connection page.
Attribute Statements
On the connection's Sign On tab:
1. Head to the Attribute statements section
2. Add the following attribute statements by clicking the "Add expression" button:
Name | Value |
|
|
|
|
3. Expand the "Show legacy configuration" dropdown, then click "Edit"
4. On the "Group attribute statements" section, add a statement as follows:
Group Attribute Statements (for role mapping)
If you want BetaTesting to automatically assign roles based on your Okta groups:
Add a Group Attribute Statement:
Name:
groups, Name Format:unspecifiedFilter:
Starts withValue:BetaTesting
NOTE: this assumes your Okta group structure has specific groups for BetaTesting (e.g. 'BetaTesting Admin', 'BetaTesting Support'). Feel free to customize this filter to only send relevant groups with SAML assertions so we can properly handle role mapping.
This sends group memberships in the SAML assertion, allowing BetaTesting to map Okta groups to BetaTesting roles. See SSO Role Mapping & Permissions for details.
Click Next, then Finish
Step 2: Collect Your IdP Metadata
After creating the app:
On the app's Sign On tab, click View SAML setup instructions or go to the Metadata section
2. Collect the following three values:
Identity Provider Single Sign-On URL (e.g.,
https://your-org.okta.com/app/xxxxx/sso/saml)Identity Provider Issuer (e.g.,
http://www.okta.com/exkXXXXXXXX)X.509 Certificate - download the certificate file
Step 3: Set up the SSO Connection in BetaTesting
In BetaTesting, go to your company's Integrations page, then open the Single Sign-On tab and start the setup wizard.
The wizard has four steps:
1. Provider
Identity provider: Select Okta.
IdP Sign-On URL: paste the Identity Provider Single Sign-On URL you collected in Step 2. (Optional field - if you leave it blank, BetaTesting will email you for it.)
Group claim name: leave as groups (this must match the Name of the group attribute statement you set in Step 1).
2. Access
Allowed email domains: enter the email domain(s) your users sign in with (comma-separated), e.g. acme.com. Must share the root of your claimed subdomain
Default role: choose the role new SSO users land on (tester, readonly, support, or admin).
3. Roles (optional, for group-based role mapping)
See the article on SSO Role Mappings and Permissions for how to configure role mapping
Map each Okta group claim value to a BetaTesting role. With the Starts with BetaTesting filter from Step 1, the values you map are the full group names, e.g. BetaTesting Admins → Company Admin.
4. Review
Confirm the summary and click Submit setup
After submitting, your connection shows status Awaiting setup. BetaTesting has your details and is building the connection (usually within one business day). Your BetaTesting account manager will reach out with details to ask you to securely provide your X.509 Certificate you downloaded from Step 2 above (Collect Your IdP Metadata).
Step 4: Update Your Okta App with BetaTesting's Values
Once BetaTesting configures the connection on their side, your account manager will provide you with two values:
Assertion Consumer Service URL (also called the Single sign-on URL)
Entity ID (also called the Audience URI / SP Entity ID)
To update your Okta app:
Go back to your BetaTesting SAML app in Okta
Go to the General tab > SAML Settings > Edit
Click Next to get to the SAML configuration screen
Update:
Single sign-on URL: paste the Assertion Consumer Service URL from BetaTesting
Audience URI (SP Entity ID): paste the Entity ID from BetaTesting
Click Next, then Finish
Step 5: Assign Users
Before users can log in via SSO, they must be assigned to the app in Okta:
In your BetaTesting SAML app, go to the Assignments tab
Click Assign > Assign to People (or Assign to Groups)
Select the users or groups who should have BetaTesting access
Click Assign, then Done
Reminder: if you're using group-based role mapping, assign the BetaTesting-prefixed groups here so their membership flows through.
Step 6: Enable the SSO Connection in BetaTesting
Once BetaTesting confirms provisioning is complete, the Enable toggle appears on your SSO connection detail page (Integrations → SSO).
Go to Integrations → Single Sign-On and open your connection.
Flip the Enable toggle on.
The status moves from Awaiting setup / Draft to Live.
Step 7: Test SSO Login
Coordinate with your BetaTesting account manager to test the connection:
Your account manager will provide you with an SSO login link specific to your organization
Open the link in a browser (use an incognito/private window for clean testing)
You should be redirected to Okta's login page
Log in with an Okta user who is assigned to the BetaTesting app
After authentication, you should be redirected back to BetaTesting and logged in
What to verify:
The user lands on the correct BetaTesting page after login
If this is a new user, their BetaTesting account was created automatically
If you configured group attribute statements, the user's role matches their Okta group membership
What BetaTesting Configures
For transparency, here's what the BetaTesting team sets up on their side during this process:
Enterprise SAML connection - Using your IdP metadata (SSO URL, certificate, issuer), BetaTesting creates an enterprise SAML connection that establishes the trust relationship
SSO connection record - Links the SAML connection to your company account, with your allowed email domain(s) and a default role
Role mappings (if requested) - Maps your Okta group names to BetaTesting roles (e.g., "Admins" group -> Company Admin role). See SSO Role Mapping & Permissions
Testing - BetaTesting verifies the connection works correctly before confirming setup is complete
Next Steps
Set up SCIM provisioning: If you want automated user provisioning, see Set Up SCIM with Okta
Configure role mappings: To map Okta groups to BetaTesting roles, see SSO Role Mapping & Permissions
Troubleshooting: If you encounter issues during setup, see SSO/SCIM FAQ & Troubleshooting