This article outlines the steps to set up Single Sign-On (SSO) SAML via Active Directory Federation Services (ADFS).
Note: Productboard SAML SSO capabilities are limited to just the provisioning of new users and the logging in of existing users. Permissions and deactivation of users are managed in-app.
In this article
Table of Values
The below table shows a summary of the values which you will need when setting up SSO.
Setting up SSO SAML
Follow these steps to set up your SSO SAML via Active Directory Federation Services:
Note: This guide uses screenshots from Windows Server 2016. Similar steps should be possible on other versions.
- On your ADFS Server, Open up AD FS Management.
- Right-click on Relying Party Trusts, and click Add Relying Party Trust. This will launch the Add Relying Party Trust Wizard.
On the steps, click Select Data Source, and Choose Enter data about the relying party manually.
- on the Step Specify Display Name, enter a Display name “Productboard” and click Next
- Choose AD FS profile with SAML 2.0 & click Next.
Select Enable support for the SAML 2.0 SSO Web SSO protocol and enter in the field Replying party SSO service URL adding the Single SignOn URL from the table above and click Next.
- Add a Relying party trust identifier, example:
then click Next.
- Click Next until you reach the Finish screen.
- Click the box Open the Edit Claim Rules dialog before clicking finish to edit the further configuration. This will launch the Edit Claim Rules window.
Click Add Rule and Choose Claim Rule > Send LDAP Attributes as Claims.
- Email Address = User identifier/NameID)
- First Name Accepted Formats:
- Last Name Accepted Formats:
- From here you can add the Outgoing claim Type as shown below. Once configured click Finish.
Productboard uses the Email of the user as a login ID. For this to work, you need to set up the Email as the NameID on the SAML login request. This can be achieved by setting up a Transform Rule.
Click Add Rule again, select Transform an Incoming Claim, and click Next.
- Enter a Claim rule name, for example, “NameIDProductboard” set up the Outgoing claim type as NameID, and click Finish.
- Ensure the order is maintained as shown in the image below (LDAP/AD Attributes followed by the NameIDProductboard), and click Apply.
On the AD FS Management window, right-click on the Relying Party for Productboard and choose properties. Under the Advanced tab, choose SHA-1 as the Secure hash Algorithm.
- On the AD FS Management window, choose Services > Certificates and double click on Token Signing Certificate, which gives you an option Copy to file. By doing this, you will be able to export the X509 certificate from the raw file.
- Copy the X509 Certificate from the file, and go to https://www.samltool.com/fingerprint.php to calculate the Fingerprint. More information on this can be found here.
- Decide what roles users/teams should be authenticated in as. Productboard has several roles from Maker Admin / Maker / Contributor / Viewer.
- The default member role for new members authorized to access Productboard via SAML SSO is a contributor. Use the pb_role custom field/attribute to specify which level of access new members should have.
- Supported values for pb_role include admin, maker, contributor, viewer.
- Now the groups of members have been identified and set up, log in to your Productboard instance, and navigate to Settings > Enforce SSO SAML > Manual Configuration.
- Input the following:
- ADFS SSO Endpoint URL
- ADFS Server Certificate
- Fingerprint (SHA1) is obtained from the raw data from Step 18.
- SLO Endpoint
Audience / Entity ID (optional)
Note: To obtain the Endpoint URL, follow these steps,
- In your ADFS manager, go to the left sidebar menu and select the Endpoints folder.- Search for SSO service endpoint and the entity URL.
- The SSO service URL usually ends in adfs/services/ls
- Upon clicking Save & authorize, enforce SSO via ADFS. You are now set to log in with ADFS SAML SSO on Productboard.
Q: We’re switching to another Idp, how do I disable SSO?
Disable the SAML SSO integration at any time from Productboard settings.
The next time members log in, those who have never set a Productboard password will be required to reset their password to receive login instructions via email - reset the password through here: https://app.productboard.com/password_resets/new
Q: My certificate expired and I lost access to Productboard. How can I update the new certificate?
A: Reach out to us through the nifty Zendesk widget in the bottom right of the page, or email us at email@example.com. We can disable the SAML for you and then you will be able to log in and update the certificate manually.
Q: I've authorized SAML SSO, but I forgot to add any users in my Identity provider (IdP) - what should I do?
A: If you feel you aren't ready and need to turn off your authorized SAML SSO settings from the space, the owner of the space can contact our Support team and we'll remove it easily. However, we need an admin who has ownership of the space to request this.