Single Sign-On

You can configure your Single Sign-On (SSO) in NeoLoad Web on-premise using Security Assertion Markup Language (SAML) 2.0. This lets you authenticate through your identity provider (IdP) and access NeoLoad Web without entering a separate username and password.

Before you start

Make sure your IdP is configured to support SAML-based authentication with NeoLoad Web. For specific guidance on configuring popular identity providers, check out:

• Configure SSO with Microsoft Entra ID

• Configure SSO with Okta

To configure your IdP for SAML-based authentication with NeoLoad Web, follow these steps:

1. Create a new Service Provider (SP) configuration in your IdP and assign it a unique ID.

2. Set the SSO callback URL to https://<your-NLW-domain>/sso/saml

3. Select a NameID format.

4. Enable response and/or assertion signatures.

5. If you require SP authentication:

   • Enable SP signature

   • Provide the authentication certificate

6. If you require response encryption:

   • Enable response encryption

   • Provide the encryption certificate

7. Include the following statement attributes in the SAML response:

   • lastName: User's last name

   • firstName: User's first name

8. Export and save the SAML metadata file from your IdP.

Set up SSO in NeoLoad Web

To set up SSO in NeoLoad Web, follow these steps:

1. Sign in to NeoLoad Web as an administrator.

2. Go to Settings > SSO.

3. Select Create.

4. Select Edit Configuration and set the SP Entity ID. Note that it must match the ID from your IdP configuration.

5. If you require SP request authentication, paste the signature certificate and private key in PEM format.

6. If you require response encryption:

• Paste the encryption certificate and private key in PEM format.

• Choose Force authentication if you want users to enter credentials every time they access NeoLoad Web. This depends on your IdP’s session policy.

• Select IDP Metadata and paste the SAML metadata exported from your IdP.

• Select Test SAML request generation to validate the configuration.

• Set the Activation status to Active in the header.

Note: If the configuration is invalid or incomplete, SSO will not be enabled—even if you have an Active status. The status must show green to confirm activation.

Manage SSO users

Users imported through SSO are tagged with SSO in the Source column of the user list.

These users:

• Can only sign in via SSO—not with NeoLoad Web username and password.

• Can be assigned roles, but profile data cannot be edited from within NeoLoad Web.

Session duration

By default, an SSO session remains valid for one day unless the browser is closed. After that, users must re-authenticate.

You can customize the session duration in your IdP by using the parameter SessionNotOnOrAfter and configuring the session lifetime settings.