Single Sign-On allows you as a Productboard admin to determine who has access to Productboard by way of your existing identity provider/SSO solution: Microsoft Entra ID, OneLogin, Okta, Gsuite, and more.
Members will be able to seamlessly access Productboard as long as they’re logged in to your organization’s identity provider system.
From your identity provider solution (IdP), you’ll be able to do any of the following:
- Manage who is able to access Productboard
- Provision member roles
- Update member details (first/last name)
Once Single Sign-On is enabled, you'll still be able to manage all Productboard member roles in Productboard.
In this article:
- Setting up SAML SSO
- Define member roles in your IdP (optional)
- Configuring access to multiple Productboard workspaces
- Disabling SSO
- FAQ and troubleshooting
- See also
Setting up SAML SSO
📚 If you are planning to use Microsoft Entra ID IdP, please follow our "How to Enforce SAML single sign-on with Microsoft Entra ID" article.
📚 If you are planning to use OKTA IdP, please follow our "How to Enforce SAML single sign-on with OKTA" article.
SAML SSO is available to all customers on Productboard's Enterprise Plan.
- If you're not on the Enterprise plan but would be interested in enabling SAML SSO, please reach out to a member of our team to trial this functionality.
Productboard admins: follow the steps below to configure SAML SSO for your organization.
Note: In some places "user" may be used interchangeably with "member" in cases where this is the preferred term for IdPs.
1. Create a new application in your IdP
In your IdP, create a new application and input the following details:
- Audience (Entity ID/Issuer): productboard
-
Single Sign On URL (Recipient/Destination/Consumer URL):
https://{workspace_name}.productboard.com/users/auth/saml/callback
-
Single Sign On URL Validator:
^https:\/\/.+\.productboard\.com\/users\/auth\/saml\/callback$
-
Single Logout URL: (optional):
https://{workspace_name}.productboard.com/users/auth/saml/slo
- User Identifier (NameID Format): EmailAddress
2. Configure your user in your IdP
Now add yourself to the new application and grant yourself admin access to Productboard. Configure your IdP to send the following attributes:
- Email (user identifier/NameID)
- First Name/Last Name
Note: Make sure to use the same emails that your users have signed up with, in Productboard, or else they will be forced to sign in with a new account (creating duplicates).
Examples of the attribute names we support.
First Name:
givenname
FirstName
first_name
firstname
firstName
User.FirstName
Last Name:
surname
LastName
last_name
lastname
lastName
User.LastName
Note: In the event you need to update a member's email address or your organization’s email domain, please contact Productboard support.
3. Configure the enforcement in Productboard
In Productboard settings choose the SAML configuration type your identity provider supports.
Configure automatically via metadata file, or manually fill in these details provided by your IdP:
- Name – IdP name to be shown on the login page (e.g. OneLogin)
- SSO Endpoint
- Certificate
- Certificate Fingerprint
- SLO Endpoint (optional, if you want to enable SLO support)
Note: In many cases, you can use either Certificate or Certificate Fingerprint, but will not need both.
4. Set Up the SAML SSO Enforcement in Productboard
Next, you’ll be prompted to log in to Productboard via SSO to ensure everything is working properly. If anything seems amiss, you’ll be able to access Productboard using your email and password to review the configuration.
Productboard members will be able to access Productboard uninterrupted during the SSO configuration process. Once the configuration is finalized, all members will automatically be logged out and prompted to log in via SSO.
Define member roles in your IdP (optional)
The default member role for new members authorized to access Productboard via SAML SSO is contributor.
Use the pb_role custom field to specify which level of access a new member should have. This is only used when a member is initially provisioned. Once they signed in for the first time, you will be able to change their role in Productboard's Team Members page.
Supported values for pb_role include: admin, maker, contributor, viewer.
Note: The roles of existing members will persist after SAML SSO is authorized.
Configuring access to multiple Productboard workspaces
To set up SAML SSO for multiple workspaces we recommend creating separate applications in your IDP. However, some IDPs allow using only one application to connect to multiple Productboard workspaces (different workspace URLs). In this case, each workspace will still need to be authorized separately. Note that the same metadata may be used to set up multiple SAML integrations.
By default, member with access to Productboard via SAML SSO have access to all Productboard workspaces connected to the application in IDP, but you can limit access to specific workspaces using the custom field pb_project (followed by a comma-separated list of the only workspaces they should be able to access. (e.g. pb_project = pb,pb-design)
Note: "project" is the former name for a "workspace" in Productboard.
To give a member different roles in two different workspaces, specify this in the pb_role field for that member, listing a workspace as well as what role they should be assigned. (e.g. pb_role = {name_of_workspace_1}:maker,{name_of_workspace_2}:contributor)
Some IDPs don't allow for two spaces to share the same Audience/Entity ID (for example Microsoft Entra ID). In the settings for one space, we set "productboard" as the Entity ID. To authenticate a single IdP instance with multiple Productboard workspaces, choose a different Entity ID than "productboard" in your Productboard SAML settings and set the same Entity ID in IDP as well.
Example from Microsoft Entra ID:
Disabling SSO
Disable the SAML SSO integration at any time from Productboard settings.
The next time members log in, those who have never set a Productboard password will be required to reset their password to receive login instructions via email.
FAQ and troubleshooting
Q: My certificate expired and I lost access to Productboard. How can I update the new certificate?
A: Reach out to us through the nifty Zendesk widget in the bottom right of the page, or email us at support@productboard.com. We can disable the SAML for you and then you will be able to log in and update the certificate manually.
Q: I've authorized SAML SSO, but I forgot to add any users in my IdP - what should I do?
A: If you feel you aren't ready and need to turn off your authorized SAML SSO settings from the space, the owner of the space can contact our Support team and we'll remove it easily. However, we need an admin who has ownership of the space to request this.
Q: I am stuck in an infinite loop when trying to Save & Authorize. What can I do to solve this?
A: If you are experiencing issues when trying to Save & Authorize the enforcement, please ensure the following:
- Required Parameters: Make sure that the callback request includes all the required parameters: email, firstName, and lastName.
- SHA-1 Algorithm: Verify that you are using the SHA-1 algorithm for the certificate used to sign the request.
See also
- Enforce Google Apps SSO
- Enforce SAML single sign-on with Microsoft Entra ID
- Enforce SAML single sign-on with Google Workspace
- Enforce SAML single sign-on with Okta
- Setting up SAML SSO via PingIdentity
- Setting up SSO SAML via Active Directory Federation Services (ADFS)
- Setting up SSO SAML via VMware Workspace ONE
Comments
Article is closed for comments.