Setting up SSO SAML via Active Directory Federation Services (ADFS)

This article outlines the steps to set up Single Sign-On (SSO) SAML via Active Directory Federation Services (ADFS).

Note: Productboard SAML SSO capabilities are limited to just the provisioning of new users and the logging in of existing users. Permissions and deactivation of users are managed in-app.

In this article

Table of Values

The below table shows a summary of the values which you will need when setting up SSO.

Identifier (Entity ID) productboard
Audience URL
https://{workspace_name}.productboard.com/
Digest Algorithm SHA1
Encryption Algorithm SHA1
Name ID format EmailAddress
Assertion Algorithm Encrypted
Single SignOn URL
https://{workspace_name}.productboard.com/users/auth/saml/callback
Signature Algorithm SHA1
Single Logout URL
https://{workspace_name}.productboard.com/users/auth/saml/slo

 

Setting up SSO SAML

Follow these steps to set up your SSO SAML via Active Directory Federation Services:

Note: This guide uses screenshots from Windows Server 2016. Similar steps should be possible on other versions.
  1. On your ADFS Server, Open up AD FS Management.
    Screenshot_2022-03-25_at_16.07.12.png
  2. Right-click on Relying Party Trusts, Click Add Relying Party Trust. This will launch the Add Relying Party Trust Wizard.Screenshot_2022-03-26_at_11.48.18.png
  3. On the steps click Select Data Source, Choose Enter data about the relying party manually.
    Screenshot_2022-03-26_at_11.52.02.png
  4. on the Step Specify Display Name, enter a Display name “Productboard” and click Next
    Screenshot_2022-03-26_at_12.03.51.png
  5. Choose AD FS profile with SAML 2.0 & click Next.
    Screenshot_2022-03-26_at_12.06.30.png
  6. Select Enable support for the SAML 2.0 SSO Web SSO protocol and enter in the field Replying party SSO service URL adding the Single SignOn URL from the table above and click Next.
    Screenshot_2022-03-26_at_12.07.23.png
  7. Add a Relying party trust identifier, example:
    {workspace_name}.productboard.com/
     Also adding
    https://{workspace_name}.productboard.com/
    then click Next.
    Screenshot_2022-03-28_at_10.17.59.png
  8. Click Next until you reach the Finish screen.
  9. Click the box Open the Edit Claim Rules dialog before clicking finish to edit the further configuration. This will launch the Edit Claim Rules window.
    Screenshot_2022-03-28_at_10.20.55.png
  10. Click Add Rule and Choose Claim Rule > Send LDAP Attributes as Claims.
    Screenshot_2022-03-28_at_10.22.18.png
    Screenshot_2022-03-28_at_10.24.31.png
      • Email Address = User identifier/NameID)
      • First Name Accepted Formats:
        • Givenname
        • FirstName
        • First_name
        • Firstname
        • firstName
        • User.FirstName
    • Last Name Accepted Formats:
      • surname
      • LastName
      • last_name
      • lastname
      • lastName
      • User.LastName
  11. From here you can add the Outgoing claim Type as shown below. Once configured click Finish.
    Screenshot_2022-03-28_at_10.26.49.png
    Productboard uses the Email of the user as a login ID. For this to work, you need to set up the Email as the NameID on the SAML login request. This can be achieved by setting up a Transform Rule.
  12. Click Add Rule again and select Transform an Incoming Claim and click Next.
    Screenshot_2022-03-28_at_10.30.21.png
  13. Enter a Claim rule name, for example, “NameIDProductboard” and set up the Outgoing claim type as NameID and click Finish.
    Screenshot_2022-03-28_at_10.40.15.png
  14. Ensure the order is maintained as shown in the image below (LDAP/AD Attributes followed by the NameIDProductboard) and click Apply.
    Screenshot_2022-03-28_at_10.42.10.png
  15. On the AD FS Management window, right-click on the Relying Party for Productboard and choose properties. Under the Advanced tab, choose SHA­-1 as the Secure hash Algorithm.
    Screenshot_2022-03-26_at_12.46.01.png
  16. On the AD FS Management window, choose Services > Certificates and double click on Token Signing Certificate, which gives you an option Copy to file. By doing this, you will be able to export the X509 certificate from the raw file.
    Screenshot_2022-03-28_at_10.47.17.png
    Screenshot_2022-03-28_at_10.48.15.png
  17. Copy the X509 Certificate from the file, and go to https://www.samltool.com/fingerprint.php to calculate the Fingerprint. More information on this can be found here.
  18. Decide what roles users/teams should be authenticated in as. Productboard has several roles from Maker Admin / Maker / Contributor / Viewer.
    • The default member role for new members authorized to access Productboard via SAML SSO is a contributor. Use the pb_role custom field/attribute to specify which level of access new members should have.
    • Supported values for pb_role include admin, maker, contributor, viewer.
  19. Now the groups of members have been identified and set up, log in to your Productboard instance, and navigate to Settings ­> Enforce SSO SAML > Manual Configuration.
    Screenshot_2022-03-28_at_10.49.29.png
  20. Input the following:
    • ADFS SSO Endpoint URL
    • ADFS Server Certificate
    • Fingerprint (SHA1) is obtained from the raw data from Step 18.
    • SLO Endpoint
    • Audience / Entity ID (optional)
  21. Upon clicking Save & authorize, enforce SSO via ADFS. You are now set to log in with ADFS SAML SSO on Productboard.

Troubleshooting

Q: We’re switching to another Idp, how do I disable SSO?

Disable the SAML SSO integration at any time from Productboard settings.

The next time members log in, those who have never set a Productboard password will be required to reset their password to receive login instructions via email - reset the password through here: https://app.productboard.com/password_resets/new

Q: My certificate expired and I lost access to Productboard. How can I update the new certificate?

A: Reach out to us through the nifty Zendesk widget in the bottom right of the page, or email us at support@productboard.com. We can disable the SAML for you and then you will be able to log in and update the certificate manually.

Q: I've authorized SAML SSO, but I forgot to add any users in my Identity provider (IdP) - what should I do?

A: If you feel you aren't ready and need to turn off your authorized SAML SSO settings from the space, the owner of the space can contact our Support team and we'll remove it easily. However, we need an admin who has ownership of the space to request this.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more
Our Support hours:
Monday to Friday from 9:00 am - 2:00 am CET. Monday to Friday from 0:00 am - 5:00 pm PST.
Productboard Academy
Become a Productboard expert with self-paced courses, quick tip videos, webinars and more.
Product Makers Community
Connect and learn Product Excellence with a global community