- Verify a domain you own (for example,
company.com). - Auto-join (JIT provisioning) — automatically add users from a verified domain instead of inviting them one by one.
- SAML 2.0 single sign-on (SSO) — let your team sign in with your existing identity provider (IdP), such as Okta, Microsoft Entra ID, or Google Workspace.
Requirements
- Domain verification and auto-join: You must be an organization Admin or Owner. No special plan is required.
- SAML SSO: In addition to admin access, SAML SSO must be enabled for your organization by QA.tech — it is a plan-level feature. If it is not enabled, the SAML configuration section will not appear. Contact QA.tech or your account representative to have it enabled.
Domain verification and auto-join work on their own — you do not need SAML
SSO to use them. SAML SSO is an additional, optional layer that builds on a
verified domain.
1. Add and verify a domain
Verifying a domain proves you own the email domain your team uses. It is the foundation for both auto-join and SAML SSO, so start here.1
Open domain settings
Go to Organization Settings → Authentication and find the Domains section.
2
Add your domain
Enter the email domain your team signs in with — for example,
company.com.3
Add the DNS verification record
After adding the domain, QA.tech shows you a verification token. Create the following TXT record with your DNS provider:
DNS changes can take up to 48 hours to propagate, though they are often live much sooner. If verification fails immediately after adding the record, wait and try again.
4
Verify the domain
Once the DNS record is in place, return to QA.tech and click Verify domain. When verification succeeds, the domain shows a Verified badge.
2. User provisioning (auto-join / JIT)
Provisioning controls how users get added to your organization. There are two modes:Auto-join does not require SAML SSO. You can enable domain-based auto-join
for any verified domain on its own. If you later configure SSO, JIT
provisioning also applies to SSO sign-ins — users authenticating through your
IdP are added automatically on first login.
3. Configure SAML SSO for a verified domain
SAML SSO lets your team sign in through your identity provider. It builds on a verified domain and requires the SSO feature to be enabled for your organization.Prerequisites for this step
- The domain is Verified (Step 1).
- SAML SSO is enabled for your organization by QA.tech.
1
Open SSO settings for the domain
In Organization Settings → Authentication, select the verified domain you want to configure and open its SAML SSO settings.
2
Provide your IdP metadata
Supply your identity provider’s SAML metadata in one of the following ways:
- Metadata URL — paste the URL your IdP publishes its metadata at (for example,
https://idp.example.com/saml/metadata). - Metadata XML — paste the raw SAML metadata XML directly.
3
Save
Save your configuration. QA.tech provisions a SAML SSO provider bound to that domain. Once active, the domain shows an SSO Active badge.
Disabling or removing SSO
- Disabling SSO for a domain removes the SAML provider for that domain. Users on that domain will no longer sign in through your IdP.
- Removing the domain entirely also disables SSO for it.
4. End-user sign-in experience
Once SSO is active, your team signs in like this:1
Choose Continue with SSO
On the QA.tech sign-in screen, the user selects Continue with SSO.
2
Enter work email
The user enters their work email. QA.tech uses the email domain to find
the matching organization and redirects the user to that organization’s
identity provider.
3
Authenticate and return
The user signs in with your IdP and is redirected back to QA.tech to
complete sign-in. If JIT provisioning is enabled, first-time users are added
to the organization automatically and skip onboarding.
If your organization enforces SSO, users on your domain are routed to the SSO
sign-in page automatically.
Troubleshooting
Domain won’t verify- Confirm the TXT record host is exactly
_qatech-verification.<domain>(for example,_qatech-verification.company.com) — a common mistake is omitting the_qatech-verification.prefix or adding the domain twice. - Confirm the record Type is
TXTand the Value matches the token shown in the UI exactly, including theqatech-domain-verify=prefix. - DNS can take up to 48 hours to propagate. Wait and click Verify domain again.
- The user’s email domain does not have an active SAML provider. Confirm the domain is Verified and shows the SSO Active badge in Organization Settings → Authentication.
- Confirm the user is signing in with their work email on the configured domain, not a personal address.
- SAML SSO is a plan-level feature and must be enabled for your organization by QA.tech. If you don’t see the SSO configuration controls, contact QA.tech or your account representative to have it enabled. (Domain verification and auto-join do not depend on this feature and are available without it.)
- Confirm you are signed in as an organization Admin or Owner. The app hides these settings from members.