Enforce SAML single sign-on with Azure AD


V12 4:24 Ent.svg


In this article, you'll learn how to set up SAML SSO with Azure Active Directory (Azure AD), allowing you to:

  • Control in Azure AD who has access to Productboard.
  • Enable your users to be automatically signed-in to Productboard with their Azure AD accounts.
  • Manage your accounts in one central location – the Azure portal.
  • Change the default role settings for users managed in Azure AD, from contributor to admin, maker, or viewer.

To learn more about SaaS app integration with Azure AD, take a look at this official documentation.


In this article:

Let's configure and test SAML SSO with Azure AD:

Add Productboard to your list of managed SaaS apps

1. Sign in to the Azure portal, using either an account with an Azure AD subscription or a free trial

2. On the left navigation panel, select the Azure Active Directory service.


3. Navigate to Enterprise Applications and then select All Applications.


4. To add a new application, select New application.


5. In the Add from the gallery section, type Productboard in the search box.

6. Select Productboard from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.


Configure Azure AD single sign-on

Configure and test Azure AD SSO with Productboard using a test user called Test User. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Productboard.

1. In the Azure portal, on the Productboard application integration page, find the Manage section and select Single sign-on.


2. On the Select a Single sign-on method page, select SAML.


3. On the Set up Single Sign-On with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.


4. On the Basic SAML Configuration section, enter the values for the following fields:

5. Save Basic SAML configuration!

Grant access for Azure AD users

In this section, you'll enable your users to use Azure single sign-on by granting access to Productboard. It is a good idea to do this step before enabling SAML SSO in Productboard and adding a metadata URL, as this step logs the user out, leading to errors if they haven't been granted access.

1. In the Azure portal, select Enterprise Applications, then select All Applications.

2. In the applications list, select Productboard.

3. In the app's overview page, find the Manage section and select Users and groups.


4. Select Add user, then select Users and groups in the Add Assignment dialog.


5. In the Users and groups dialog, select your name from the Users list, then click the Select button at the bottom of the screen. Alternatively, you can create a new user if you don't want to grant access to yourself – check the Create an Azure AD user section.


6. In the Add Assignment dialog, click the Assign button.


Note: the default role provided to users in this step is contributor – for instruction on how to change it, check out the Change default role for new users section.

Create an Azure AD user (if you don't have any company user to grant access to)

In this section, you'll create a test user in the Azure portal called James Dee.

1. From the left pane in the Azure portal, select Azure Active Directory, then select Users, and then select All users.

2. Select New user at the top of the screen.

3. In the User properties, follow these steps:

  • In the Name field, enter the new user's name.
  • In the User name field, enter the username@companydomain.extension. For example, user@example.com
  • Select the Show password check box, then write down the value that's displayed in the Password box.
  • Click Create

4. Grant access to the user – check the Assign the Azure AD user section.

Change default role for new users

In Azure AD, add a custom Claim to change the default role for all users who will be granted access (section Grant access for the Azure AD user).

Without setting a custom Claim, users will be assigned the role of Contributor by default.

1. In Enterprise Applications → All applications → Productboard → Manage section → Single sign-on → edit User Attributes & Claims.


2. Select Add new claim.


3. In the Name field, writepb_role. In the Attribute field, write the new role (admin, maker, viewer).


Note: for the 'Contributor' role, there's no need to set a Custom claim. We provide this role by default.

4. After entering an attribute, Azure AD automatically adds "" - no need to add them.


5. Save.

Configure Productboard SSO in the Productboard app

Option one: By clicking the button in the Azure AD app:

1. First, you need to install the My Apps Secure Sign-in browser extension by clicking Install the extension.

2. After adding the extension to the browser, click Set up Productboard, which directs you to the Productboard application. From there, provide the admin credentials to sign in to Productboard. The browser extension will automatically configure the application for you.


Option two: By copy-pasting metadata URL to the Productboard app:

1. Go to https://<your_workspace>.productboard.com/.

2. Go to Settings under the workspace menu.

3. First, turn off Enforce Google apps SSO in the Single Sign-on section before enforcing SAML SSO.

5. Paste the URL you copied in the Azure AD app to the Manifest URL field under the 'From metadata' tab (we recommend this rather than configuring manually under the Manual configuration tab - to avoid mistakes)


6. Fill in Name – we recommend using Azure AD in this case. This name will be visible on the login button.


7. You can leave Audience/Entity ID empty if you are setting only SAML SSO only for one space in your IdP.
8. Click Save & authorize.

9. Productboard will ask you to log in under SAML SSO to finish the configuration. During this step, if configuration leads to an error, you will be able to log in to your space with "username + password" or Google SSO as you were used to.

Configuring access to multiple Productboard workspaces

A single Azure AD instance does not allow for two applications to share the same Audience/Entity ID. In the settings above, we set productboard as the Entity ID.

1. To authenticate a single Azure AD with multiple Productboard workspaces, choose a different Entity ID than productboard in your Productboard SAML settings.


Note: If you do not see the Audience/Entity ID field in your space, reach out to us at support@productboard.com in order to have this enabled.

2. Make sure you set the same Entity ID in Azure ID as well.


Disabling SAML SSO

You can disable the SAML SSO integration at any time in the Productboard settings.

The next time members log in, those who haven't set a Productboard password will be required to reset their password to receive login instructions via email.

If you wish to delete the Productboard application from Azure AD, you can do it in Properties.



For information on how to resolve issues, you face when enforcing SAML single sign-on with Azure AD, see our troubleshooting guide Troubleshooting Azure AD issues

See also

Was this article helpful?
1 out of 1 found this helpful



Article is closed for comments.

Articles in this section

See more
Our Support hours:
Monday to Friday from 9:00 am - 2:00 am CET. Monday to Friday from 0:00 am - 5:00 pm PST.
Productboard Academy
Become a Productboard expert with self-paced courses, quick tip videos, webinars and more.
Product Makers Community
Connect with product leaders, share and find product jobs, and learn how to approach similar challenges. Come join our Product Makers community.