Enforce SAML single sign-on with Google Workspace

Kristina Docheva
Written by Kristina Docheva
Updated

enterprise.svg


In this article, you'll learn how to set up SAML SSO with Google Workspace, allowing you to:

  • Control in Google Admin who has access to Productboard.
  • Enable your users to automatically sign in to Productboard with their Google accounts.
  • Manage your accounts in one central location – in Google Admin.
  • Change the default role for users managed in Google Workspace, from contributor to admin, maker, or viewer.

In this article:

Configure SAML SSO in Google Workspace

 

Screenshot_2021-03-12_at_10.46.58.png

1. Sign in to your Google Admin console. The Admin console is where administrators manage Google services for people in an organization. Click Apps.

 

Screenshot_2021-03-12_at_11.35.17.png

2. From the Apps page, select SAML apps.

 

Screenshot_2021-03-12_at_11.55.53.png

3. Select: Add App β†’ Add custom SAML app.

 

Screenshot_2021-03-12_at_11.58.46.png

4. Fill in the App details. We recommend typing "Productboard", as this name will be shown in the list of your SAML apps in the Google Admin console.

 

Screenshot_2021-03-15_at_9.12.33.png

5. On this screen, you will see metadata. Click Continue - we will return to this screen later.

 

Screenshot_2021-03-12_at_12.48.23.png

6. You can use the details below to fill in the Service provider details:

  • In the Entity ID field, type:
    productboard
  • For Name ID Format, select:
    EMAIL
  • NameID should be pre-selected with:
    Basic Information > Primary Email
  • Select Continue

Screenshot_2021-03-12_at_15.13.40.png

7. For Attribute Mapping, you'll need to add two mappings - First name and Last name mappings. These two mappings are mandatory and you can't skip this step.

Note: The default user role for new users will be Contributor. To change the role, see Change the user role for new users.

Examples of the attribute names we support.

First Name  Last Name
givenname surname
FirstName LastName
first_name last_name
firstname lastname
firstName lastName
User.FirstName User.LastName

 

8. Select Finish! πŸŽ‰

 

Turn on your SAML app and grant access to the organization

1. From the Admin console Home page, go to Apps β†’ SAML apps.

 

Screenshot_2021-03-12_at_15.25.33.png

2. Select your SAML app Productboard.

 

Screenshot_2021-03-12_at_15.26.48.png

3. Select User Access to turn ON or OFF the access for everybody in the organization.

 

Screenshot_2021-03-12_at_15.35.29.png

4. Select On for everyone and click Save.

5. Make sure you have added Users to the organization (or granted permission to yourself/ an admin who is setting SAML SSO in Productboard) in Google Admin β†’ Directory β†’ Users/Groups before moving on to configure SAML SSO in Productboard.

 

Configure SAML SSO in Productboard

 

Screenshot_2021-03-12_at_16.16.26.png

1. Select your Avatar β€”> Settings β€”> Enforce SAML SSO β€”> Manual configuration. (As of the time of writing, it's only possible to set the SSO manually, so make sure you have selected Manual Configuration!)

 

Screenshot_2021-03-12_at_15.40.10.png

2. In a separate tab, open up your Google Admin console. Select Apps β€”> SAML Apps β€”> Productboard app.

  • Then select: Download Metadata
  • You will see a popup window with the SSO URL and Certificate that you will need to copy-paste into Productboard.

 

Screenshot_2021-03-12_at_16.20.18.png

3. Here is how the filled configuration in Productboard should look.

  • For the Name field, we recommend typing Google workspace, since that name will be shown on the Productboard login page.
  • You can use either the Certificate or the Certificate Fingerprint, but you will not need both.

 

Screenshot_2021-03-12_at_16.19.39.png

4. Save & authorize the SAML SSO.

 

Screenshot_2021-01-29_at_12.29.47.png

5. You will be automatically logged out and asked to log in using Google workspace.

6. Sign in using your Google account and check that everything is working as expected!

 

Note: Productboard members will be able to access Productboard uninterrupted during the SSO configuration process. Once the configuration is finalized, all members will automatically be logged out and prompted to log in via SSO.

 

Change the default role for new users

The default role for new users is Contributor, but you can switch the role to Viewer, Admin or Editor by following the steps below. (For more information about Productboard access roles, see here.)

 

Screenshot_2021-03-12_at_15.44.41.png

1. Go to Users β€”> More β€”> Manage custom Attributes.

 

Screenshot_2021-03-12_at_15.46.04.png

2. Select Add Custom Attribute.

 

Screenshot_2021-03-12_at_15.47.26.png

3. Fill in the custom attribute with the details from the screenshot. The example above is for Viewer

 

Screenshot_2021-03-12_at_15.51.18.png

4. Now you need to go back to the App settings and add the Attribute mapping. Select SAML Attribute Mapping.

5. Select Add Mapping.

 

Screenshot_2021-03-12_at_15.53.32.png

6. Select Viewer (or Admin or Editor) for the Productboard role. For the App attribute, type pb_role. Click Save.

 

Create a new user and assign a custom user role

1. From the Admin console Home page, go to Users β†’ Add new user. Add the required personal information and click Add new user.

kristinaarticle1.png

2. On the screen with the user password, select More actions β†’ Edit user. 

kristinaarticle2.png

3. You will see a screen with all of the user details. Scroll down until you see the custom user role attribute you created (see above).

 

Screenshot_2021-03-12_at_21.51.31.png

 

4. You need to type viewer and save the changes. Now that new user will have viewer access when he/she sighs up in Productboard. If you don't type viewer in that field the user role will be the default one which is contributor. 

Screenshot_2021-03-12_at_20.30.16.png

 

That's it! πŸŽ‰ Your new user has the access role you specified.

Note: You must perform this workflow every time you create a new user. If you do not manually assign a role in this custom field, the user will be created with a contributor access role.

 

Disable SAML SSO

You can disable the SAML SSO integration at any time in your Productboard Settings, which you can access via the avatar menu in the bottom left corner.

The next time members log in, those who haven't set a Productboard password will be required to reset their password to receive login instructions via email.

If you wish to delete the Productboard application from Google Workspace, you can do it from here:

Screenshot_2021-03-12_at_15.56.47.png

Troubleshooting

My certificate expired and I lost access to Productboard. How can I update the new certificate?

Let us know here, or email us at support@productboard.com. We can disable the SAML for you. Then you will be able to log in and update the certificate manually.

 

I've authorized SAML SSO, but I forgot to add any users in my IdP β€” what should I do?

If you feel you aren't ready and need to turn off your authorized SAML SSO settings from the space, the owner of the space can contact our Support team and we'll remove it for you. However, we need an admin who has ownership of the space to request this.

 

How can I learn more about Google Workspace SAML SSO?

See Google Workplace's documentation here.

Was this article helpful?
0 out of 0 found this helpful