In this article, we'll walk you through the step-by-step process of configuring SAML SSO for Productboard using PingIdentity. By following these instructions, you can streamline user management and ensure a smooth experience for your team. Let's get started!
Note: Productboard SAML SSO capabilities are limited to just the provisioning of new users and the logging in of existing users. Permissions and deactivation of users are managed in-app unless you set up SCIM provisioning.
In this article:
- Setting up SAML SSO
- Step 1
- Step 2
- Step 3
- Step 4
Setting up SAML SSO
To set up SAML SSO, go to PingIdentity > navigate to the application catalog & search for “Productboard.”
In the workspace name field, input your workspace name. For example:
Here PingIdentity maps Productboard SAML attributes: PingIdentity attributes automatically. Please review them to ensure they are correct.
For more information about user roles/permissions that a user should be authenticated in, see the article here. Productboard SAML service authenticates users by their role/permission set out by the Productboard admin through a custom attribute
pb_role . If pb_role is not set, the default role in which all new users are authenticated and logged into Productboard will be contributors.
This step is only for the initial provisioning of new user profiles i.e., creating a user profile in Productboard and setting their role as Maker Admin / Maker / Contributor / Viewer. Once a profile is created, Maker admins can update the user's role within the Productboard.
If a user already exists in Productboard, PingIdentity will log them in as usual, but the Productboard role is managed within Productboard.
If an employee leaves and is deactivated in PingIdentity, the profile in Productboard will not be removed or deactivated; it must be manually deactivated via Productboard Settings > Members.
Select what groups of users in PingIdentity can access & login into the productboard application.
From here, you will see the productboard application connection details
- Issuer ID
- Single SignOn Service
- IDP Metadata URL
- Initiate Singe SignOn URL
Copy the IDP Metadata URL
Open a new tab and log into your Productboard workspace and head to Settings > Enforce SSO and paste the IDP metadata URL into the manifest URL
Name: PingIdentity (this is just for labeling on the login button on sign-in)
Having all the details set up in PingIdentity and Productboard, you can now test. Simply ensure you have assigned yourself to the app in PingIdentity. If you haven’t done so already, within the Setting page of Productboard > Enforce SSO, click “Save and Authorize” - you will be prompted to Authorize enabling SSO for all users; click Authorize. You’ll be logged out from here and should now see the option to “Use PingIdentity Account.”
Does Productboard support user provisioning via SCIM?
Yes, though not part of the native PingIdentity application, it can be set up - More info here.
IDP metadata URL not working
You can also manually input PingIdentity’s configuration by inputting the IDP metadata URL into your browser address bar - you should see the raw .XML data which you can extract and paste into the fields below: