Single Sign-On allows you as a Productboard admin to determine who has access to Productboard by way of your existing identity provider/SSO solution: Azure Active Directory, OneLogin, Okta, Gsuite, and more.
Members will be able to seamlessly access Productboard as long as they’re logged in to your organization’s identity provider system.
From your identity provider solution (IdP), you’ll be able to do any of the following:
- Manage who is able to access Productboard
- Provision member roles
- Update member details (first/last name)
Once Single Sign-On is enabled, you'll still be able to manage all Productboard member roles in Productboard.
Setting up SAML SSO
📚 If you are planning to use Azure AD IdP, please follow our "How to Enforce SAML single sign-on with Azure AD" article.
📚 If you are planning to use OKTA IdP, please follow our "How to Enforce SAML single sign-on with OKTA" article.
SAML SSO is available to all customers on Productboard's Enterprise Plan.
- If you're not on the Enterprise plan but would be interested in enabling SAML SSO, please reach out to a member of our team to trial this functionality.
Productboard admins: follow the steps below to configure SAML SSO for your organization.
Note: In some places "user" may be used interchangeably with "member" in cases where this is the preferred term for IdPs.
1. Create a new application in your IdP
In your IdP, create a new application and input the following details:
- Audience (Entity ID/Issuer): productboard
-
Single Sign On URL (Recipient/Destination/Consumer URL):
https://{workspace_name}.productboard.com/users/auth/saml/callback -
Single Sign On URL Validator:
^https:\/\/.+\.productboard\.com\/users\/auth\/saml\/callback$ -
Single Logout URL: (optional):
https://{workspace_name}.productboard.com/users/auth/saml/slo - User Identifier (NameID Format): EmailAddress
2. Configure your user in your IdP
Now add yourself to the new application and grant yourself admin access to Productboard. Configure your IdP to send the following attributes:
- Email (user identifier/NameID)
- First Name/Last Name
Note: Make sure to use the same emails that your users have signed up with, in Productboard, or else they will be forced to sign in with a new account (creating duplicates).
Examples of the attribute names we support.
First Name:
givenname
FirstName
first_name
firstname
firstName
User.FirstName
Last Name:
surname
LastName
last_name
lastname
lastName
User.LastName
Note: In the event you need to update a member's email address or your organization’s email domain, please contact Productboard support.
3. Configure Productboard
In Productboard settings choose the SAML configuration type your identity provider supports.
Configure automatically via metadata file, or manually fill in these details provided by your IdP:
- Name – IdP name to be shown on the login page (e.g. OneLogin)
- SSO Endpoint
- Certificate
- Certificate Fingerprint
- SLO Endpoint (optional, if you want to enable SLO support)
Note: In many cases, you can use either Certificate or Certificate Fingerprint, but will not need both.
4. Finalize SSO settings in Productboard
Next, you’ll be prompted to log in to Productboard via SSO to ensure everything is working properly. If anything seems amiss, you’ll be able to access Productboard using your email and password to review the configuration.
Productboard members will be able to access Productboard uninterrupted during the SSO configuration process. Once the configuration is finalized, all members will automatically be logged out and prompted to log in via SSO.
Define member roles in your IdP (optional)
The default member role for new members authorized to access Productboard via SAML SSO is contributor.
Use the pb_role custom field to specify which level of access a new member should have. This is only used when a member is initially provisioned. Once they signed in for the first time, you will be able to change their role in Productboard's Team Members page.
Supported values for pb_role include: admin, maker, contributor, viewer.
Note: The roles of existing members will persist after SAML SSO is authorized.
Configuring access to multiple Productboard workspaces
To set up SAML SSO for multiple workspaces we recommend creating separate applications in your IDP. However, some IDPs allow using only one application to connect to multiple Productboard workspaces (different workspace URLs). In this case, each workspace will still need to be authorized separately. Note that the same metadata may be used to set up multiple SAML integrations.
By default, member with access to Productboard via SAML SSO have access to all Productboard workspaces connected to the application in IDP, but you can limit access to specific workspaces using the custom field pb_project (followed by a comma-separated list of the only workspaces they should be able to access. (e.g. pb_project = pb,pb-design)
Note: "project" is the former name for a "workspace" in Productboard.
To give a member different roles in two different workspaces, specify this in the pb_role field for that member, listing a workspace as well as what role they should be assigned. (e.g. pb_role = {name_of_workspace_1}:maker,{name_of_workspace_2}:contributor)
Some IDPs don't allow for two spaces to share the same Audience/Entity ID (for example Azure AD). In the settings for one space, we set "productboard" as the Entity ID. To authenticate a single IdP instance with multiple Productboard workspaces, choose a different Entity ID than "productboard" in your Productboard SAML settings and set the same Entity ID in IDP as well.
Example from Azure IDP:
Disabling SSO
Disable the SAML SSO integration at any time from Productboard settings.
The next time members log in, those who have never set a Productboard password will be required to reset their password to receive login instructions via email.
Troubleshooting
Q: My certificate expired and I lost access to Productboard. How can I update the new certificate?
A: Reach out to us through the nifty Zendesk widget in the bottom right of the page, or email us at support@productboard.com. We can disable the SAML for you and then you will be able to log in and update the certificate manually.
Q: I've authorized SAML SSO, but I forgot to add any users in my IdP - what should I do?
A: If you feel you aren't ready and need to turn off your authorized SAML SSO settings from the space, the owner of the space can contact our Support team and we'll remove it easily. However, we need an admin who has ownership of the space to request this.
Comments
Article is closed for comments.