In this article, you’ll learn how to set up SCIM provisioning with Azure AD.
SCIM provisioning allows you to manage all your accounts in one central location – Azure AD, from creation to deactivation.
Note: The new version of Productboard’s gallery application that allows SCIM provisioning is currently in the approval process with Azure AD. You can choose to wait until our application is approved or you can use SCIM provisioning now by setting it up manually.
To learn more about SCIM provisioning in Azure AD, take a look at this Azure AD documentation.
In this article:
- Setting up SAML SSO for SCIM
- Configuring SCIM provisioning
To get started, you’ll need the following items:
- An Azure AD subscription. If you don't have a subscription, you can sign up for a one-month free trial.
- A Productboard single sign-on (SSO) enabled subscription (available on the Enterprise plan).
Setting up SAML SSO for SCIM
We don’t have SCIM provisioning approved by Azure AD just yet so you need to configure SAML SSO with your own application. Once we get the Azure AD approval you’ll find SCIM provisioning in our Productboard application in Azure AD’s application gallery.
Note: Once we get Azure AD’s approval you’ll be recommended to migrate to the Productboard application from Azure AD’s application gallery.
Note: You can use one application in Azure AD for SSO and one for provisioning, but we consider that a bit tedious therefore we don’t recommend it.
Configuring your own application
- In Azure AD, in Enterprise applications click on New application and then on Create your own application.
- Select the Non-gallery option and fill in the name productboard.
- Go to Single sign-on and select SAML.
- Now click on Edit.
In the Basic SAML Configuration section, enter the values for the following fields:
- Identifier (Entity ID):productboard
Reply URL (Assertion Consumer Service URL):
- In the Sign on URL(Optional):
- In Single Logout URL (Optional):
- Save Basic SAML configuration.
Now assign all your Productboard members to the new application we’ve just created. Don’t forget to add yourself because you have to authorize the SAML SSO in the next step.
Authorizing SAML SSO in Productboard
- First, open the Single sign-on section in the Productboard app in Azure AD. Copy the App Federation Metadata Url.
- Go to https://<your_workspace>.productboard.com/
- Go to Settings under the workspace menu. Your SSO configuration should look a lot like this. Now we want to replace it with the new one.
- Change Manifest URL to the new one. It’s the link you just copied.
- Click Save & authorize. Then click the red Authorize button.
- You will be redirected to Productboard, where you will be asked to sign in under SAML SSO to authorize the configuration.
During this step, if configuration leads to an error, your old configuration is still there and working, so your users can still log in to Productboard with SSO. You can check the configuration and try again. For troubleshooting issues, see the article Troubleshooting Azure AD issues .
If the authorization was successful, please continue.
- The old Productboard application in Azure AD is not used anymore because SAML SSO goes through the new one we’ve just created. You can delete the old one.
Configuring SCIM provisioning
- Go to https://<your_workspace>.productboard.com/, then to Settings under the workspace menu. Enable SCIM provisioning.
- In Azure AD go to the Provisioning section of your Productboard application and click on Get started.
- Change the Provisioning Mode to Automatic. Fill in the Tenant URL: https://api.productboard.com/scim/v2 .
- To generate Secret Token go to https://<your_workspace>.productboard.com/ , then to Integrations under the Profile menu. Find the Public API section and generate and copy the Access token. Paste the token to Azure AD.
Test Connection. You should see a notification like this one. Then click Save.
- Expand Mappings and disable Provision Azure Active Directory Groups.
- Disable Delete in the Target Object Actions section. We don’t support the deletion of members. You can only deactivate members and that’s done through Update.
You can Delete some of the attribute mappings according to the screenshot below. Then click on Add New Mapping at the bottom.
Note: Please adjust the mapping for userName. It should be the attribute that matches the email you use for logging into Productboard, e.g. mail.
Fill in the configuration for role mapping:
roles[primary eq "True"].value
Don’t forget to Save the changes.
- Mapping type:
- Let’s Start provisioning. From now on every 40 minutes Azure AD will update members in Productboard. Right now every new member will be provisioned with role contributor. Let’s fix that.
- Go to Users and groups then click on application registration.
- Click on Create app role and create the role for admin. Then repeat the same for a maker, contributor, and viewer.
- Assign correct Productboard roles to your users. Select all users and groups that should have e.g. role viewer and click on Edit assignment. Then click Select a role, choose viewer and submit with Select and then Assign. We recommend keeping your users in role-based groups e.g. Productboard Viewers and assigning roles for those groups. Then you only need to assign a user to a group with the correct role in its name and Azure AD will do the rest
- In Productboard you can see that those users that were linked or created are now SCIM provisioned and therefore not editable. The last one that you can see on the screenshot below was not in Azure AD. They are still editable. They are either missing in Azure AD or not supposed to be in Productboard. It’s possible to deactivate such members.
Note: If you want to see if the provisioning is working right away, go to Provisioning and try to Provision on demand a user or a group. If you don’t see what you expect please Retry. Sometimes you have to wait a couple of minutes to have the updated information in Provision on demand option.
Congratulation! Everything is set up.