Setting up SAML SSO via PingIdentity

V12 4:24 Ent.svg

 

In this article, we'll walk you through the step-by-step process of configuring SAML SSO for Productboard using PingIdentity. By following these instructions, you can streamline user management and ensure a smooth experience for your team. Let's get started!

Note: Productboard SAML SSO capabilities are limited to just the provisioning of new users and the logging in of existing users. Permissions and deactivation of users are managed in-app unless you set up SCIM provisioning.

In this article:

Relevant to both new and legacy boards

Setting up SAML SSO

Step 1: Add Application and Input Workspace Name

To set up SAML SSO, go to PingIdentity > navigate to the application catalog & search for “Productboard.” 

SSO>PingIdentiy.png

In the workspace name field, input your workspace name. For example:

{{workspace name}}.productboard.com

Click Next.

Step 2: Map Required Attributes

Here PingIdentity maps Productboard SAML attributes: PingIdentity attributes automatically. Please review them to ensure they are correct.

SSO>PingIdentity>Fields config.png

For more information about user roles/permissions that a user should be authenticated in, see the article here. Productboard SAML service authenticates users by their role/permission set out by the Productboard admin through a custom attribute pb_role . If pb_role is not set, the default role in which all new users are authenticated and logged into Productboard will be contributors.

SSO>Fields>PB Role Types.png

Note:
This step is only for the initial provisioning of new user profiles i.e., creating a user profile in Productboard and setting their role as Maker Admin / Maker / Contributor / Viewer. Once a profile is created, Maker admins can update the user's role within the Productboard.

If a user already exists in Productboard, PingIdentity will log them in as usual, but the Productboard role is managed within Productboard.

If an employee leaves and is deactivated in PingIdentity, the profile in Productboard will not be removed or deactivated; it must be manually deactivated via Productboard Settings > Members.

Step 3: Select Assigned Users

Select what groups of users in PingIdentity can access & login into the productboard application.

SSO>PingIdentity>Groups.png

Click Save.

From here, you will see the productboard application connection details

      • Issuer ID
      • Single SignOn Service
      • IDP Metadata URL
      • Initiate Singe SignOn URL

Copy the IDP Metadata URL

SSO>PingIdentity>IDP Metadata URL.png

Step 4: Configure SAML Enforcement in Productboard

Open a new tab and log into your Productboard workspace and head to Settings > Enforce SSO and paste the IDP metadata URL into the manifest URL

Name: PingIdentity (this is just for labeling on the login button on sign-in)

SSO>PingIdentity>PasteURL.png

Having all the details set up in PingIdentity and Productboard, you can now test. Simply ensure you have assigned yourself to the app in PingIdentity. If you haven’t done so already, within the Setting page of Productboard > Enforce SSO, click “Save and Authorize” - you will be prompted to Authorize enabling SSO for all users; click Authorize. You’ll be logged out from here and should now see the option to “Use PingIdentity Account.

SSO>PingIdentity>Log in to PB.png

FAQ & Troubleshooting

Does Productboard support user provisioning via SCIM?

Yes, though not part of the native PingIdentity application, it can be set up - More info here.

IDP metadata URL not working

You can also manually input PingIdentity’s configuration by inputting the IDP metadata URL into your browser address bar - you should see the raw .XML data which you can extract and paste into the fields below:

SSO>Enforce SSO> Man Config.png

Productboard PingIdentity Property Name
Name PingIdentity
SSO Endpoint (HTTP:) <SingleSignOnService>
Certificate <Certificate>
Certificate Fingerprint (optional)
SLO Endpoint (HTTP:) <SingleLogoutService> (optional)
Audience / Entity ID EntityID (optional)

 

Troubleshooting Infinite Loop When Trying to Save & Authorize

If you are experiencing issues when trying to Save & Authorize the enforcement, please ensure the following:

  1. Required Parameters:

    Make sure that the callback request includes all the required parameters: email, firstName, and lastName.

  2. SHA-1 Algorithm:

    Verify that you are using the SHA-1 algorithm for the certificate used to sign the request.

 

See also

Was this article helpful?
0 out of 2 found this helpful

Articles in this section

See more
Our Support hours:
Monday to Friday from 9:00 am - 2:00 am CET. Monday to Friday from 0:00 am - 5:00 pm PST.
Productboard Academy
Become a Productboard expert with self-paced courses, quick tip videos, webinars and more.
Product Makers Community
Connect with product leaders, share and find product jobs, and learn how to approach similar challenges. Come join our Product Makers community.