Single Sign-On

You can configure Single Sign-On (SSO) in NeoLoad Web on-premise using Security Assertion Markup Language (SAML) 2.0. This lets you authenticate through your identity provider (IdP) and access NeoLoad Web without entering a separate username and password.

Before you start

Make sure your IdP is configured to support SAML-based authentication with NeoLoad Web. For specific guidance on configuring popular identity providers, check out:

• Configure SSO with Microsoft Entra ID.

• Configure SSO with Okta.

To configure your IdP for SAML-based authentication with NeoLoad Web, follow these steps:

1. Create a new Service Provider (SP) configuration in your IdP and assign it a unique ID.

2. Set the SSO callback URL to https://<your-NLW-domain>/sso/saml.

3. Select a NameID format.

4. Enable response and/or assertion signatures.

5. If you require SP authentication, enable SP signature and provide the authentication certificate.

6. If you require response encryption, enable response encryption and provide the encryption certificate.

7. Include the following statement attributes in the SAML response: lastName (user's last name) and firstName (user's first name).

8. Export and save the SAML metadata file from your IdP.

Set up SSO in NeoLoad Web

The SSO configuration page guides you through a multi-step setup process. A Configuration overview sidebar tracks your progress and shows which sections are complete.

To set up SSO in NeoLoad Web, follow these steps:

1. Sign in to NeoLoad Web as an administrator and go to Settings > SSO configuration.

2. In the Service provider configuration section, configure the following:

   • Service provider entity ID: Enter a unique ID that matches your IdP configuration.

   • Require service provider authentication: Enable if you require SP request authentication, then provide the Request signature private key and Request signature certificate in PEM format.

   • Require response encryption: Enable if you require encrypted responses.

   • Always require authentication: Enable to force users to enter credentials every time, even if already authenticated.

   • Advanced settings: Optionally expand to configure the Name ID format.

3. Select Save to save the service provider configuration.

4. Select Generate SP metadata to create the metadata your IdP needs to configure SSO.

5. In the Identity provider metadata section, select Edit IdP metadata and paste the SAML metadata exported from your IdP.

6. Select Test SAML request generation to validate the configuration. A successful test shows a green checkmark.

7. Enable the Enable SSO toggle. Double-check that the status badge shows Active (green), otherwise SSO won't function properly.

If the configuration is incomplete, the status badge shows Unfinished configuration and SSO remains inactive—even with the toggle enabled.

Configure auto-provisioning

Auto-provisioning controls whether new users can be automatically created in NeoLoad Web when they authenticate through SSO for the first time. Only administrators can update this setting.

To configure auto-provisioning:

1. Go to Settings > SSO configuration.

2. Select the Auto-provisioning tab.

3. Toggle Enable auto-provisioning of SSO users based on your requirements:

   • Enabled: New users are automatically provisioned in NeoLoad Web when they authenticate through SSO.

   • Disabled: New users cannot authenticate to NeoLoad Web via SSO. They receive a standard login error. Existing users of any type can still authenticate.

Manage SSO users

Users imported through SSO are tagged with SSO in the Source column of the user list. These users:

• Can only sign in via SSO—not with NeoLoad Web username and password.

• Can be assigned roles, but profile data cannot be edited from within NeoLoad Web.

Session duration

By default, an SSO session remains valid for one day unless the browser is closed. After that, users must re-authenticate. You can customize the session duration in your IdP by using the parameter SessionNotOnOrAfter and configuring the session lifetime settings.