Setting up SCIM provisioning with Azure AD

enterprise.svg

In this article, you’ll learn how to set up SCIM provisioning with Azure AD.

SCIM provisioning allows you to manage all your accounts in one central location – Azure AD, from creation to deactivation.

Note: The new version of Productboard’s gallery application that allows SCIM provisioning is currently in the approval process with Azure AD. You can choose to wait until our application is approved or you can use SCIM provisioning now by setting it up manually.

To learn more about SCIM provisioning in Azure AD, take a look at this Azure AD documentation.

In this article: 

Prerequisites

To get started, you’ll need the following items:

Setting up SAML SSO for SCIM

We don’t have SCIM provisioning approved by Azure AD just yet so you need to configure SAML SSO with your own application. Once we get the Azure AD approval you’ll find SCIM provisioning in our Productboard application in Azure AD’s application gallery.

Note: Once we get Azure AD’s approval you’ll be recommended to migrate to the Productboard application from Azure AD’s application gallery. 
Note: You can use one application in Azure AD for SSO and one for provisioning, but we consider that a bit tedious therefore we don’t recommend it.

Configuring your own application

  1. In Azure AD, in Enterprise applications click on New application and then on Create your own application.
    Screenshot_2022-12-30_at_16.35.05.png
    Screenshot_2022-12-30_at_16.30.15.png
  2. Select the Non-gallery option and fill in the name productboard.
    Screenshot_2022-12-30_at_16.32.29.png
  3. Go to Single sign-on and select SAML.
    Screenshot_2022-12-30_at_16.38.01.png
    Screenshot_2022-12-30_at_16.42.51.png
  4. Now click on Edit.
    Screenshot_2022-12-30_at_16.46.55.png

    In the Basic SAML Configuration section, enter the values for the following fields:

    • Identifier (Entity ID):productboard
    • Reply URL (Assertion Consumer Service URL):
      https://<your_workspace>.productboard.com/users/auth/saml/callback
    • In the Sign on URL(Optional):
      https://<your_workspace>.productboard.com/
    • In Single Logout URL (Optional):
      https://<your_workspace>.productboard.com/users/auth/saml/slo
    Screenshot_2023-01-01_at_11.50.15.png
  5. Save Basic SAML configuration.

Assigning members

Now assign all your Productboard members to the new application we’ve just created. Don’t forget to add yourself because you have to authorize the SAML SSO in the next step.

Authorizing SAML SSO in Productboard

  1. First, open the Single sign-on section in the Productboard app in Azure AD. Copy the App Federation Metadata Url.
    Screenshot_2023-01-01_at_12.05.23.png
  2. Go to https://<your_workspace>.productboard.com/
  3. Go to Settings under the Profile menu. Your SSO configuration should look a lot like this. Now we want to replace it with the new one. 
    Screenshot_2023-01-01_at_12.59.45.png
  4. Change Manifest URL to the new one. It’s the link you just copied.
    Screenshot_2023-01-01_at_13.02.11.png
  5. Click Save & authorize. Then click the red Authorize button.
  6. You will be redirected to Productboard, where you will be asked to sign in under SAML SSO to authorize the configuration.
    Screenshot_2023-01-01_at_13.00.54.png
    During this step, if configuration leads to an error, your old configuration is still there and working, so your users can still log in to Productboard with SSO. You can check the configuration and try again. For troubleshooting issues, see the article Troubleshooting Azure AD issues .
    If the authorization was successful, please continue.
  7. The old Productboard application in Azure AD is not used anymore because SAML SSO goes through the new one we’ve just created. You can delete the old one.

Configuring SCIM provisioning

  1. Go to https://<your_workspace>.productboard.com/, then to Settings under the Profile menu. Enable SCIM provisioning.
    Screenshot_2022-12-20_at_18.49.44__2_.png
  2. In Azure AD go to the Provisioning section of your Productboard application and click on Get started.
    Screenshot_2023-01-01_at_13.07.33.png
  3. Change the Provisioning Mode to Automatic. Fill in the Tenant URL: https://api.productboard.com/scim/v2 .
    Screenshot_2023-01-01_at_13.18.23.png
  4. To generate Secret Token go to https://<your_workspace>.productboard.com/ , then to Integrations under the Profile menu. Find the Public API section and generate and copy the Access token. Paste the token to Azure AD.
    Screenshot_2023-01-01_at_13.18.42.png
  5. Test Connection. You should see a notification like this one. Then click Save.
    Screenshot_2023-01-01_at_13.27.16.png
  6. Expand Mappings and disable Provision Azure Active Directory Groups.
    Screenshot_2023-01-01_at_13.29.57.png
  7. Disable Delete in the Target Object Actions section. We don’t support the deletion of members. You can only deactivate members and that’s done through Update.
    Screenshot_2023-01-01_at_13.32.02.png
  8. You can Delete some of the attribute mappings according to the screenshot below. Then click on Add New Mapping at the bottom.
    Screenshot_2023-01-01_at_13.33.07.png
  9. Fill in the configuration for role mapping:

    • Mapping type:
      Expression
    • Expression:
      SingleAppRoleAssignment([appRoleAssignments])
    • Target attribute:
      roles[primary eq "True"].value

    Don’t forget to Save the changes.
    Screenshot_2023-01-01_at_13.47.06.png

  10. Let’s Start provisioning. From now on every 40 minutes Azure AD will update members in Productboard. Right now every new member will be provisioned with role contributor. Let’s fix that.
    Screenshot_2023-01-01_at_15.39.21.png
  11. Go to Users and groups then click on application registration.
    Screenshot_2023-01-01_at_13.57.46.png
  12. Click on Create app role and create the role for admin. Then repeat the same for a maker, contributor, and viewer.
    Screenshot_2023-01-01_at_15.52.51.png
  13. Assign correct Productboard roles to your users. Select all users and groups that should have e.g. role viewer and click on Edit assignment. Then click Select a role, choose viewer and submit with Select and then Assign. We recommend keeping your users in role-based groups e.g. Productboard Viewers and assigning roles for those groups. Then you only need to assign a user to a group with the correct role in its name and Azure AD will do the rest
    Screenshot_2023-01-01_at_16.04.36.png
    Screenshot_2023-01-01_at_16.12.36.png
  14. In Productboard you can see that those users that were linked or created are now SCIM provisioned and therefore not editable. The last one that you can see on the screenshot below was not in Azure AD. They are still editable. They are either missing in Azure AD or not supposed to be in Productboard. It’s possible to deactivate such members.
    Screenshot_2022-12-20_at_20.18.17__1_.png
Note: If you want to see if the provisioning is working right away, go to Provisioning and try to Provision on demand a user or a group. If you don’t see what you expect please Retry. Sometimes you have to wait a couple of minutes to have the updated information in Provision on demand option.

Congratulation! Everything is set up.

See also:

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more
Our Support hours:
Monday to Friday from 9:00 am - 2:00 am CET. Monday to Friday from 0:00 am - 5:00 pm PST.
Productboard Academy
Become a Productboard expert with self-paced courses, quick tip videos, webinars and more.
Product Makers Community
Connect with product leaders, share and find product jobs, and learn how to approach similar challenges. Come join our Product Makers community.