In this article, you'll learn how to set up SAML SSO with Azure Active Directory (Azure AD), allowing you to:
- Control in Azure AD who has access to Productboard.
- Enable your users to be automatically signed-in to Productboard with their Azure AD accounts.
- Manage your accounts in one central location – the Azure portal.
- Change the default role settings for users managed in Azure AD, from contributor to admin, maker, or viewer.
To learn more about SaaS app integration with Azure AD, take a look at this official documentation.
- An Azure AD subscription. If you don't have a subscription, you can sign up for a one-month free trial.
- A Productboard single sign-on (SSO) enabled subscription (available on Enterprise plan).
Let's configure and test SAML SSO with Azure AD:
Add Productboard to your list of managed SaaS apps
1. Sign in to the Azure portal, using either an account with an Azure AD subscription or a free trial
2. On the left navigation panel, select the Azure Active Directory service.
3. Navigate to Enterprise Applications and then select All Applications.
4. To add a new application, select New application.
5. In the Add from the gallery section, type Productboard in the search box.
6. Select Productboard from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Configure Azure AD single sign-on
Configure and test Azure AD SSO with Productboard using a test user called Test User. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Productboard.
1. In the Azure portal, on the Productboard application integration page, find the Manage section and select Single sign-on.
2. On the Select a Single sign-on method page, select SAML.
3. On the Set up Single Sign-On with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
4. On the Basic SAML Configuration section, enter the values for the following fields:
- The Identifier (Entity ID) should already be pre-filled with
productboard. If it isn't, type it in.
- In the Reply URL (Assertion Consumer Service URL), type a URL using the following pattern: https://<your_workspace>.productboard.com/users/auth/saml/callback
- In the Sign-on URL (optional), type a URL using the following pattern: https://<your_workspace>.productboard.com/
- In Single Logout URL (optional), type a URL using the following pattern: https://<your_workspace>.productboard.com/users/auth/saml/slo
5. Save Basic SAML configuration!
Grant access for Azure AD users
In this section, you'll enable your users to use Azure single sign-on by granting access to Productboard. It is a good idea to do this step before enabling SAML SSO in Productboard and adding a metadata URL, as this step logs the user out, leading to errors if they haven't been granted access.
1. In the Azure portal, select Enterprise Applications, then select All applications.
2. In the applications list, select Productboard.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select your name from the Users list, then click the Select button at the bottom of the screen. Alternatively, you can create a new user if you don't want to grant access to yourself – check the Create an Azure AD user section.
6. In the Add Assignment dialog, click the Assign button.
Note: the default role provided to users in this step is
contributor – for instruction on how to change it, check out the Change default role for new users section.
Create an Azure AD user (if you don't have any company user to grant access to)
In this section, you'll create a test user in the Azure portal called James Dee.
1. From the left pane in the Azure portal, select Azure Active Directory, then select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
- In the Name field, enter the new user's name.
- In the User name field, enter the email@example.com. For example, firstname.lastname@example.org
- Select the Show password check box, then write down the value that's displayed in the Password box.
- Click Create
4. Grant access to the user – check the Assign the Azure AD user section.
Change default role for new users
In Azure AD, add a custom Claim to change the default role for all users who will be granted access (section Grant access for the Azure AD user).
Without setting a custom Claim, users will be assigned the role of
Contributor by default.
1. In Enterprise Applications → All applications → Productboard → Manage section → Single sign-on → edit User Attributes & Claims.
2. Select Add new claim.
3. In the Name field, write
pb-role. In the Attribute field, write the new role (admin, editor, viewer).
Note: for the 'Contributor' role, there's no need to set a Custom claim. We provide this role by default.
4. After entering an attribute, Azure AD automatically adds
"" - no need to add them.
Configure Productboard SSO in the Productboard app
Option one: By clicking the button in the Azure AD app:
1. First, you need to install the My Apps Secure Sign-in browser extension by clicking Install the extension.
2. After adding the extension to the browser, click Set up Productboard, which directs you to the Productboard application. From there, provide the admin credentials to sign in to Productboard. The browser extension will automatically configure the application for you.
Option two: By copy-pasting metadata URL to the Productboard app:
1. Go to
2. Go to Settings under the Profile menu.
3. In the Single Sign-on section, make sure to first turn off Enforce Google apps SSO.
Enforce SAML SSO.
5. Paste the URL you copied in the Azure AD app to the Manifest URL field under the 'From metadata' tab (we recommend this rather than configuring manually under the
Manual configuration tab - to avoid mistakes)
6. Fill in Name – we recommend using
Azure AD in this case. This name will be visible on the login button.
7. You can leave Audience/Entity ID empty if you are setting only SAML SSO only for one space in your IdP.
8. Click Save & authorize.
9. Productboard will ask you to log in under SAML SSO to finish the configuration. During this step, if configuration leads to an error, you will be able to log in to your space with "username + password" or Google SSO as you were used to.
Configuring access to multiple Productboard workspaces
A single Azure AD instance does not allow for two applications to share the same Audience/Entity ID. In the settings above, we set
productboard as the Entity ID.
1. To authenticate a single Azure AD with multiple Productboard workspaces, choose a different Entity ID than
productboard in your Productboard SAML settings.
2. Make sure you set the same Entity ID in Azure ID as well.
Disabling SAML SSO
You can disable the SAML SSO integration at any time in the Productboard settings.
The next time members log in, those who haven't set a Productboard password will be required to reset their password to receive login instructions via email.
If you wish to delete the Productboard application from Azure AD, you can do it in Properties.
Troubleshooting Azure AD issues
My certificate expired and I lost access to Productboard. How can I update the new certificate?
Reach out to us through the nifty Zendesk widget in the bottom right of the page, or email us at email@example.com. We can disable the SAML for you and then you will be able to log in and update the certificate manually.
I've authorized SAML SSO, but I forgot to add any users in my IdP — what should I do?
If you feel you aren't ready and need to turn off your authorized SAML SSO settings from the space, the owner of the space can contact our Support team and we'll remove it easily. However, we need an admin who has ownership of the space to request this.
What should I do if I receive error AADSTS50105?
This occurs when a user is trying to log in using an Azure account but hasn't yet been granted access through your Azure AD. Please see the Grant access for the Azure AD user section ****or ask your Productboard admin to grant you access in Azure AD .
What should I do if I receive error AADSTS700016?
This occurs when something is missing in your Azure AD configuration. Please go to Enterprise Applications → All applications → Productboard → Manage section → Single sign-on and make sure the Entity ID and Reply URL are properly set.
You may also see this error when trying to configure multiple Productboard workspaces. A Single Azure AD instance does not allow for two applications to share the same Audience/Entity ID. Please see the Configuring access to multiple Productboard workspaces section for more help.
What should I do if I receive an "Invalid ticket" error?
This error occurs when something is not configured properly and you try to log in in the Productboard app. The easiest way to fix this is to start the configuration process again in Azure AD and double-check that everything is set according to our tutorial.
If you see this error and are having issues setting SAML configuration in Productboard again (you logged out and can't get back in), contact our Support Team, and we will disable SAML SSO in your workspace, allowing you to set it again.