Enforce SAML single sign-on with Azure AD

Aditi Shirodkar
Written by Aditi Shirodkar


In this article, you'll learn how to set up SAML SSO with Azure Active Directory (Azure AD), allowing you to:


  • Control in Azure AD who has access to Productboard.
  • Enable your users to be automatically signed-in to Productboard with their Azure AD accounts.
  • Manage your accounts in one central location – the Azure portal.
  • Change the default role settings for users managed in Azure AD, from contributor to admin, maker, or viewer.

To learn more about SaaS app integration with Azure AD, take a look at this official documentation.




Let's configure and test SAML SSO with Azure AD:

Add Productboard to your list of managed SaaS apps

1. Sign in to the Azure portal, using either an account with an Azure AD subscription or a free trial

2. On the left navigation panel, select the Azure Active Directory service.


3. Navigate to Enterprise Applications and then select All Applications.


4. To add a new application, select New application.


5. In the Add from the gallery section, type Productboard in the search box.

6. Select Productboard from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.



Configure Azure AD single sign-on

Configure and test Azure AD SSO with Productboard using a test user called Test User. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Productboard.

1. In the Azure portal, on the Productboard application integration page, find the Manage section and select Single sign-on.


2. On the Select a Single sign-on method page, select SAML.


3. On the Set up Single Sign-On with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.


4. On the Basic SAML Configuration section, enter the values for the following fields:

5. Save Basic SAML configuration!


Grant access for Azure AD users

In this section, you'll enable your users to use Azure single sign-on by granting access to Productboard. It is a good idea to do this step before enabling SAML SSO in Productboard and adding a metadata URL, as this step logs the user out, leading to errors if they haven't been granted access.

1. In the Azure portal, select Enterprise Applications, then select All applications.

2. In the applications list, select Productboard.

3. In the app's overview page, find the Manage section and select Users and groups.


4. Select Add user, then select Users and groups in the Add Assignment dialog.


5. In the Users and groups dialog, select your name from the Users list, then click the Select button at the bottom of the screen. Alternatively, you can create a new user if you don't want to grant access to yourself – check the Create an Azure AD user section.


6. In the Add Assignment dialog, click the Assign button.


Note: the default role provided to users in this step is contributor – for instruction on how to change it, check out the Change default role for new users section.

Create an Azure AD user (if you don't have any company user to grant access to)

In this section, you'll create a test user in the Azure portal called James Dee.

1. From the left pane in the Azure portal, select Azure Active Directory, then select Users, and then select All users.

2. Select New user at the top of the screen.

3. In the User properties, follow these steps:

  • In the Name field, enter the new user's name.
  • In the User name field, enter the username@companydomain.extension. For example, user@example.com
  • Select the Show password check box, then write down the value that's displayed in the Password box.
  • Click Create

4. Grant access to the user – check the Assign the Azure AD user section.


Change default role for new users

In Azure AD, add a custom Claim to change the default role for all users who will be granted access (section Grant access for the Azure AD user).

Without setting a custom Claim, users will be assigned the role of Contributor by default.

1. In Enterprise Applications → All applications → Productboard → Manage section → Single sign-on → edit User Attributes & Claims.



2. Select Add new claim.


3. In the Name field, writepb-role. In the Attribute field, write the new role (admin, editor, viewer).


Note: for the 'Contributor' role, there's no need to set a Custom claim. We provide this role by default.


4. After entering an attribute, Azure AD automatically adds "" - no need to add them.


5. Save.


Configure Productboard SSO in the Productboard app

Option one: By clicking the button in the Azure AD app:

1. First, you need to install the My Apps Secure Sign-in browser extension by clicking Install the extension.

2. After adding the extension to the browser, click Set up Productboard, which directs you to the Productboard application. From there, provide the admin credentials to sign in to Productboard. The browser extension will automatically configure the application for you.


Option two: By copy-pasting metadata URL to the Productboard app:

1. Go to https://<your_workspace>.productboard.com/.

2. Go to Settings under the Profile menu.

3. In the Single Sign-on section, make sure to first turn off Enforce Google apps SSO.

Enforce SAML SSO.

5. Paste the URL you copied in the Azure AD app to the Manifest URL field under the 'From metadata' tab (we recommend this rather than configuring manually under the Manual configuration tab - to avoid mistakes)


6. Fill in Name – we recommend using Azure AD in this case. This name will be visible on the login button.


7. You can leave Audience/Entity ID empty if you are setting only SAML SSO only for one space in your IdP.
8. Click Save & authorize.

9. Productboard will ask you to log in under SAML SSO to finish the configuration. During this step, if configuration leads to an error, you will be able to log in to your space with "username + password" or Google SSO as you were used to.


Configuring access to multiple Productboard workspaces

A single Azure AD instance does not allow for two applications to share the same Audience/Entity ID. In the settings above, we set productboard as the Entity ID.

1. To authenticate a single Azure AD with multiple Productboard workspaces, choose a different Entity ID than productboard in your Productboard SAML settings.


2. Make sure you set the same Entity ID in Azure ID as well.



Disabling SAML SSO

You can disable the SAML SSO integration at any time in the Productboard settings.

The next time members log in, those who haven't set a Productboard password will be required to reset their password to receive login instructions via email.

If you wish to delete the Productboard application from Azure AD, you can do it in Properties.


Troubleshooting Azure AD issues

My certificate expired and I lost access to Productboard. How can I update the new certificate?

Reach out to us through the nifty Zendesk widget in the bottom right of the page, or email us at support@productboard.com. We can disable the SAML for you and then you will be able to log in and update the certificate manually.

I've authorized SAML SSO, but I forgot to add any users in my IdP — what should I do?

If you feel you aren't ready and need to turn off your authorized SAML SSO settings from the space, the owner of the space can contact our Support team and we'll remove it easily. However, we need an admin who has ownership of the space to request this.

What should I do if I receive error AADSTS50105?

This occurs when a user is trying to log in using an Azure account but hasn't yet been granted access through your Azure AD. Please see the Grant access for the Azure AD user section ****or ask your Productboard admin to grant you access in Azure AD .

What should I do if I receive error AADSTS700016?

This occurs when something is missing in your Azure AD configuration. Please go to Enterprise Applications → All applications → Productboard → Manage section → Single sign-on and make sure the Entity ID and Reply URL are properly set.

You may also see this error when trying to configure multiple Productboard workspaces. A Single Azure AD instance does not allow for two applications to share the same Audience/Entity ID. Please see the Configuring access to multiple Productboard workspaces section for more help.

What should I do if I receive an "Invalid ticket" error?

This error occurs when something is not configured properly and you try to log in in the Productboard app. The easiest way to fix this is to start the configuration process again in Azure AD and double-check that everything is set according to our tutorial.

If you see this error and are having issues setting SAML configuration in Productboard again (you logged out and can't get back in), contact our Support Team, and we will disable SAML SSO in your workspace, allowing you to set it again.


See also

Was this article helpful?
0 out of 0 found this helpful