In this article, you’ll learn how to set up SCIM provisioning with Microsoft Entra ID.
SCIM provisioning allows you to manage all your accounts in one central location – Microsoft Entra ID, from creation to deactivation.
Note: The new version of Productboard’s gallery application that allows SCIM provisioning is currently in the approval process with Microsoft Entra ID. You can choose to wait until our application is approved or you can use SCIM provisioning now by setting it up manually.
To learn more about SCIM provisioning in Microsoft Entra ID, take a look at this Microsoft Entra ID documentation.
In this article:
Prerequisites
To get started, you’ll need the following items:
- An Microsoft Entra ID subscription. If you don't have a subscription, you can sign up for a one-month free trial.
- A Productboard single sign-on (SSO) enabled subscription (available on the Enterprise plan).
Setting up SAML SSO for SCIM
We don’t have SCIM provisioning approved by Microsoft Entra ID just yet so you need to configure SAML SSO with your own application. Once we get the Microsoft Entra ID approval you’ll find SCIM provisioning in our Productboard application in Microsoft Entra ID’s application gallery.
Note: Once we get Microsoft Entra ID’s approval you’ll be recommended to migrate to the Productboard application from Microsoft Entra ID’s application gallery.
Note: You can use one application in Microsoft Entra ID for SSO and one for provisioning, but we consider that a bit tedious therefore we don’t recommend it.
Configuring your own application
- In Microsoft Entra ID, in Enterprise applications, click on New application and then on Create your own application.
- Select the Non-gallery option and fill in the name productboard.
- Go to Single sign-on and select SAML.
- Now click on Edit.
In the Basic SAML Configuration section, enter the values for the following fields:
- Identifier (Entity ID):productboard
-
Reply URL (Assertion Consumer Service URL):
https://<your_workspace>.productboard.com/users/auth/saml/callback
- In the Sign on URL(Optional):
https://<your_workspace>.productboard.com/
- In Single Logout URL (Optional):
https://<your_workspace>.productboard.com/users/auth/saml/slo
- Save Basic SAML configuration.
Assigning members
Now assign all your Productboard members to the new application we’ve just created. Don’t forget to add yourself because you have to authorize the SAML SSO in the next step.
Authorizing SAML SSO in Productboard
- First, open the Single sign-on section in the Productboard app in Microsoft Entra ID. Copy the App Federation Metadata Url.
- Go to https://<your_workspace>.productboard.com/
- Go to Settings under the workspace menu. Your SSO configuration should look a lot like this. Now we want to replace it with the new one.
- Change Manifest URL to the new one. It’s the link you just copied.
- Click Save & authorize. Then click the red Authorize button.
- You will be redirected to Productboard, where you will be asked to sign in under SAML SSO to authorize the configuration.
During this step, if configuration leads to an error, your old configuration is still there and working, so your users can still log in to Productboard with SSO. You can check the configuration and try again. For troubleshooting issues, see the article Troubleshooting Microsoft Entra ID issues .
If the authorization was successful, please continue. - The old Productboard application in Microsoft Entra ID is not used anymore because SAML SSO goes through the new one we’ve just created. You can delete the old one.
Configuring SCIM provisioning
- Go to https://<your_workspace>.productboard.com/, then to Settings under the workspace menu. Enable SCIM provisioning. If you want to use Group provisioning, enable Manage team with SCIM.
- In Microsoft Entra ID go to the Provisioning section of your Productboard application and click on Get started.
- Change the Provisioning Mode to Automatic. Fill in the Tenant URL: https://api.productboard.com/scim/v2 .
- To generate Secret Token go to https://<your_workspace>.productboard.com/ , then to Integrations under the Profile menu. Find the Public API section and generate and copy the Access token. Paste the token to Microsoft Entra ID.
-
Test Connection. You should see a notification like this one. Then click Save.
- Expand Mappings and either...
-
Disable Provision Azure Active Directory Groups if you don’t want to provision groups, or...
-
Leave it enabled and make sure Attribute Mappings look like this:
-
Disable Provision Azure Active Directory Groups if you don’t want to provision groups, or...
- In Provision Azure Active Directory Users, disable Delete in the Target Object Actions section. We don’t support the deletion of members. You can only deactivate members and that’s done through Update.
-
Delete some of the attribute mappings. Make sure it matches the screenshot below. Then click on Add New Mapping at the bottom.
Note: Please adjust the mapping for userName. It should be the attribute that matches the email you use for logging into Productboard, e.g. mail.
-
Fill in the configuration for role mapping:
-
Mapping type:
Expression
-
Expression:
SingleAppRoleAssignment([appRoleAssignments])
-
Target attribute:
roles[primary eq "True"].value
Don’t forget to Save the changes.
-
Mapping type:
- Let’s Start provisioning. From now on every 40 minutes Microsoft Entra ID will update members in Productboard. Right now every new member will be provisioned with role contributor. Let’s fix that.
- Go to Users and groups then click on application registration.
- Click on Create app role and create the role for admin. Then repeat the same for a maker, contributor, and viewer.
- Assign correct Productboard roles to your users. Select all users and groups that should have e.g. role viewer and click on Edit assignment. Then click Select a role, choose viewer and submit with Select and then Assign. We recommend keeping your users in role-based groups e.g. Productboard Viewers and assigning roles for those groups. Then you only need to assign a user to a group with the correct role in its name and Microsoft Entra ID will do the rest
- In Productboard you can see that those users that were linked or created are now SCIM provisioned and therefore not editable. The last one that you can see on the screenshot below was not in Microsoft Entra ID. They are still editable. They are either missing in Microsoft Entra ID or not supposed to be in Productboard. It’s possible to deactivate such members. If you’re also provisioning Groups, the behavior is slightly different. All the existing teams in Productboard are marked as SCIM provisioned already and they’re not editable. You can only manage them from Microsoft Entra ID now.
Note: If you want to see if the provisioning is working right away, go to Provisioning and try to Provision on demand a user or a group. If you don’t see what you expect please Retry. Sometimes you have to wait a couple of minutes to have the updated information in Provision on demand option.
Congratulations! Everything is set up.
Comments
Article is closed for comments.