In this article, you'll learn how to set up SAML SSO with Microsoft Entra ID, allowing you to:
- Control in Microsoft Entra ID who has access to Productboard.
- Enable your users to be automatically signed-in to Productboard with their Microsoft Entra ID accounts.
- Manage your accounts in one central location – the Azure portal.
- Change the default role settings for users managed in Microsoft Entra ID, from contributor to admin, maker, or viewer.
To learn more about SaaS app integration with Microsoft Entra ID, take a look at this official documentation.
Prerequisites
- An Microsoft Entra ID subscription. If you don't have a subscription, you can sign up for a one-month free trial.
- A Productboard single sign-on (SSO) enabled subscription (available on Enterprise plan).
In this article:
- Let's configure and test SAML SSO with Microsoft Entra ID:
- Configure Microsoft Entra ID single sign-on
- Configure Productboard SSO in the Productboard app
- Disabling SAML SSO
- Troubleshooting
Let's configure and test SAML SSO with Microsoft Entra ID:
Add Productboard to your list of managed SaaS apps
1. Sign in to the Azure portal, using either an account with an Microsoft Entra ID subscription or a free trial
2. On the left navigation panel, select the Azure Active Directory service.
3. Navigate to Enterprise Applications and then select All Applications.
4. To add a new application, select New application.
5. In the Add from the gallery section, type Productboard in the search box.
6. Select Productboard from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Configure Microsoft Entra ID single sign-on
Configure and test Microsoft Entra ID SSO with Productboard using a test user called Test User. For SSO to work, you need to establish a link relationship between an Microsoft Entra ID user and the related user in Productboard.
1. In the Azure portal, on the Productboard application integration page, find the Manage section and select Single sign-on.
2. On the Select a Single sign-on method page, select SAML.
3. On the Set up Single Sign-On with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
4. On the Basic SAML Configuration section, enter the values for the following fields:
- The Identifier (Entity ID) should already be pre-filled with Productboard. If it isn't, type it in.
-
In the Reply URL (Assertion Consumer Service URL), type a URL using the following pattern:
https://<your_workspace>.productboard.com/users/auth/saml/callback
-
In the Sign-on URL (optional), type a URL using the following pattern:
https://<your_workspace>.productboard.com/
-
In Single Logout URL (optional), type a URL using the following pattern:
https://<your_workspace>.productboard.com/users/auth/saml/slo
5. Save Basic SAML configuration!
Grant access for Microsoft Entra ID users
In this section, you'll enable your users to use Azure single sign-on by granting access to Productboard. It is a good idea to do this step before enabling SAML SSO in Productboard and adding a metadata URL, as this step logs the user out, leading to errors if they haven't been granted access.
1. In the Azure portal, select Enterprise Applications, then select All Applications.
2. In the applications list, select Productboard.
3. In the app's overview page, find the Manage section and select Users and groups.
4. Select Add user, then select Users and groups in the Add Assignment dialog.
5. In the Users and groups dialog, select your name from the Users list, then click the Select button at the bottom of the screen. Alternatively, you can create a new user if you don't want to grant access to yourself – check the Create an Microsoft Entra ID user section.
6. In the Add Assignment dialog, click the Assign button.
Note: the default role provided to users in this step is contributor
– for instruction on how to change it, check out the Change default role for new users section.
Create an Microsoft Entra ID user (if you don't have any company user to grant access to)
In this section, you'll create a test user in the Azure portal called James Dee.
1. From the left pane in the Azure portal, select Azure Active Directory, then select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
- In the Name field, enter the new user's name.
- In the User name field, enter the username@companydomain.extension. For example, user@example.com
- Select the Show password check box, then write down the value that's displayed in the Password box.
- Click Create
4. Grant access to the user – check the Assign the Microsoft Entra ID user section.
Change default role for new users
In Microsoft Entra ID, add a custom Claim to change the default role for all users who will be granted access (section Grant access for the Microsoft Entra ID user).
Without setting a custom Claim, users will be assigned the role of Contributor
by default.
1. In Enterprise Applications → All applications → Productboard → Manage section → Single sign-on → edit User Attributes & Claims.
2. Select Add new claim.
3. In the Name field, writepb_role
. In the Attribute field, write the new role (admin, maker, viewer).
Note: for the 'Contributor' role, there's no need to set a Custom claim. We provide this role by default.
4. After entering an attribute, Microsoft Entra ID automatically adds ""
- no need to add them.
5. Save.
Configure Productboard SSO in the Productboard app
Option one: By clicking the button in the Microsoft Entra ID app:
1. First, you need to install the My Apps Secure Sign-in browser extension by clicking Install the extension.
2. After adding the extension to the browser, click Set up Productboard, which directs you to the Productboard application. From there, provide the admin credentials to sign in to Productboard. The browser extension will automatically configure the application for you.
Option two: By copy-pasting metadata URL to the Productboard app:
1. Go to https://<your_workspace>.productboard.com/
.
2. Go to Settings under the workspace menu.
3. First, turn off Enforce Google apps SSO in the Single Sign-on section before enforcing SAML SSO.
5. Paste the URL you copied in the Microsoft Entra ID app to the Manifest URL field under the 'From metadata' tab (we recommend this rather than configuring manually under the Manual configuration tab
- to avoid mistakes)
6. Fill in Name – we recommend using Microsoft Entra ID
in this case. This name will be visible on the login button.
7. You can leave Audience/Entity ID empty if you are setting only SAML SSO only for one space in your IdP.
8. Click Save & authorize.
9. Productboard will ask you to log in under SAML SSO to finish the configuration. During this step, if configuration leads to an error, you will be able to log in to your space with "username + password" or Google SSO as you were used to.
Configuring access to multiple Productboard workspaces
A single Microsoft Entra IDD instance does not allow for two applications to share the same Audience/Entity ID. In the settings above, we set productboard
as the Entity ID.
1. To authenticate a single Microsoft Entra ID with multiple Productboard workspaces, choose a different Entity ID than productboard
in your Productboard SAML settings.
Note: If you do not see the Audience/Entity ID field in your space, reach out to us at support@productboard.com in order to have this enabled.
2. Make sure you set the same Entity ID in Azure ID as well.
Disabling SAML SSO
You can disable the SAML SSO integration at any time in the Productboard settings.
The next time members log in, those who haven't set a Productboard password will be required to reset their password to receive login instructions via email.
If you wish to delete the Productboard application from Microsoft Entra ID, you can do it in Properties.
Troubleshooting
For information on how to resolve issues, you face when enforcing SAML single sign-on with Microsoft Entra ID, see our troubleshooting guide Troubleshooting Microsoft Entra ID issues
Comments
Article is closed for comments.