In this article, you'll learn how to set up SAML SSO with Okta, allowing you to:

• Enable your users to be automatically signed in to Productboard using their Okta accounts.
• Manage your accounts in one central location – Okta.
• Change the default role settings for users managed in Okta, from contributor to admin, maker, or viewer.

To learn more about SAML app integration with Okta, take a look at this official documentation.

In this article:

• Prerequisites
• How to configure and test SAML SSO with OKTA
• How to change the default role for new users in Okta
• How to configure Productboard SSO in the Productboard app
• How to disable SAML SSO

Prerequisites

To get started, you'll need the following items:

• An Okta subscription. If you don't have a subscription, you can sign up for a one-month free trial.
• A Productboard single sign-on (SSO) enabled subscription (available on the Enterprise plan).

How to configure and test SAML SSO with OKTA

Add Productboard to your list of managed SaaS apps

1. Log in to your Okta account and navigate to the Admin dashboard.

2. On the left navigation panel, select Applications and then select Add Application.

4. Please don't ❌ use this Productboard application in Okta's catalog. This application will not work when setting a custom "pb_role" attribute.

5. Use Create New App button and set application as following.

Make sure you fill the following fields correctly:

SSO URL:  https://{workspace_name}.productboard.com/users/auth/saml/callback 

you can check the option Use this for Recipient URL and Destination URL...

• Audience URI: productboard
• Name ID format: EmailAddress
• Attribute statements:

pb_role: appuser.pb_role - this one is optional, if you don't plan to set different role than contributor during provisioning new users, you can skip this step

lastName: user.lastName

firstName: user.firstName

6. Save new application.

Grant access for OKTA users

In this section, you'll enable your users to use Okta single sign-on by granting access to Productboard.

1. Make sure you are inside the Productboard application and click Assignments.

2. Select Assign and then select Assign to people.

3. Then select assign to select the user to whom you are going to give access to Productboard using Okta.

4. Then check if the email is correct and select Save and go back.

5. Check if your user is Assigned and then select Done.

6. The user should appear in the People filter.

Note: the default role provided to users in this step is contributor – for instructions on how to change it, check out the section below.

How to change the default role for new users in Okta

1. Select Directory and then click on Profile Editor in your Okta application.

2. Then, in the Productboard Profile, select Profile.

3. Then click Add Attribute.

4. Make sure you fill the following fields correctly:

• Display name: PB Role
• Variable name: pb_role
• Check the enum checkbox with the text "Define enumerated list of values".
• Then fill the Display name and Value fields with the following values:
  admin | admin
  editor | editor
  contributor | contributor
  viewer | viewer
• And click Save.

5. Make sure you get confirmation that the attribute pb_role has been added.

6. Then we need to click on Applications and then on Productboard.

7. Make sure you select Assignments in the Productboard profile and then click on the person's name for whom you would like to change the role.

8. Click on Applications and then in edit.

9. You should see pb_role. You can change it to the role that the user should have in Productboard and then click Save.

10. Log in with this user using Okta. You will see that the user has the role.

How to configure Productboard SSO in the Productboard app

1. First, open the Sign On section in the Productboard app in Okta, then select View Setup Instructions.

2. Now you can to follow the configuration steps in this article or continue following these instructions.

3. Copy the URL of your Okta space.

First option: Left click in the link (Identify Provider metadata) and then select Copy Link Location.

Second option: Open the link (Identify Provider metadata) and Copy the URL over there.

The URL should look like this:

https://<your_okta_space>.okta.com/app/asdasdadgtrrd/sso/saml/metadata

4. Go to https://<your_workspace>.productboard.com/

5. Go to Settings under the Profile menu.

6. In the Single Sign-on section, make sure to first turn off Enforce Google apps SSO

7. Toggle on Enforce SAML SSO.

8. Select From Metadata.

9. Paste the Identify Provider Metadata app (the one we copied in step 3) to the Manifest URL field and fill in Name Okta - this name will be visible on the login button.

10. Click Save & authorize.

11. Click the red Authorize button.

12. You will be redirected to Productboard, where you will be asked to log in under SAML SSO to finish the configuration. During this step, if configuration leads to an error, you will be able to log in to your space with "username + password" or Google SSO as you used to.

How to disable SAML SSO

You can disable the SAML SSO integration at any time in the Productboard settings.

The next time members log in, those who haven't set a Productboard password will be required to reset their password to receive login instructions via email.

If you wish to delete the Productboard application from Okta, you can do it by clicking Deactivate.

And then Delete.

For troubleshooting issues, see the article Troubleshooting Okta issues.

See also

• Enforce SAML single sign-on (all IdPs)
• Enforce Google Apps SSO
• Troubleshooting Okta issues