This article outlines the steps to set up Single Sign-On (SSO) SAML via VMware Workspace ONE.
Productboard SAML SSO capabilities are limited to just the provisioning of new users and the logging in of existing users. Permissions and deactivation of users are managed in-app.
In this article
- Creating a New Saas Application
- SAML Metadata and Productboard Setup
- Productboard Roles
- Testing Phase
Creating a New Saas Application
In Workspace ONE Access Admin Console, select the Catalog tab and then select New.
In the New SaaS Application dialogue, enter a Name (Productboard), a Description, and an Icon and select Next.
The customer-centric product management platform. Productboard helps product managers understand what customers need, prioritize what to build next, and rally everyone around the roadmap.
The supported icon formats are PNG, JPG, and ICO up to 4 MB. Dimensions supported up to 1024 x 1024 pixels.
In Configuration, select SAML 2.0 as the Authentication Type and select Manual for the Configuration.
Copy the following values from the SAML Configurations below into the New SaaS Application form:
Select Email Address as the Username Format and username format to be unspecified.
Click Advanced Properties. Check Sign Response, Sign Assertion, and Include Assertion Signature are enabled. Scroll down to the Custom Attribute Mapping section and map the following:
Once mapped, click Next.
In Access Policies, select the desired Access Policy. In this example, we will use the default and then select Next.
In Summary, simply review the configuration then select Save & Assign.
SAML Metadata and Productboard Setup
From the Catalog tab of the Workspace ONE Access panel, select Settings.
Navigate to SAML Metadata. Copy the contents of the Signing Certificate from Workspace ONE
Open a new tab and log into your Productboard workspace and head to Settings > Enforce SSO and paste the Signing Certificate from Workspace ONE into the Certificate field in Productboard. Keep this tab open.
Head back to Workspace ONE, under the Settings dialogue, click Identity Provider (IdP) metadata under SAML Metadata.
An XML metadata file will be shown. Copy the highlighted sections into Productboard SSO settings.
Table of Values for Productboard SSO settings
By hitting Save & Authoritizing you are activating and enforcing SSO via Workspace ONE. Ensure you have assigned the users/groups to access Productboard via Workspace ONE, within Workspace ONE as users will only be able to log in via Workspace ONE.
In Productboard there are a number of roles that contain different permission sets. Please work with your Productboard Admin on what users belong to what role. Use a pb_role custom attribute to specify which level of access a new member should have. Info on roles types can be found here:
- This step is only for the initial provisioning of new user profiles i.e. creating a user profile in Productboard and setting their role to be Maker Admin / Maker / Contributor / Viewer. Once a profile is created, Maker with admin can update the role of the user within the Productboard.
- If a user already exists in Productboard, Workspace ONE will log them in as normal but the Productboard role is managed within Productboard.
- If an employee leaves and is deactivated in Workspace ONE, the profile in Productboard will not be removed or deactivated, needs to be manually deactivated via Productboard Settings > Members.
Having all the details set up on Workspace ONE and Productboard you can now test. Simply ensure you have assigned yourself to the app in Workspace ONE. If you haven’t done so already, within the Setting page of Productboard > Enforce SSO click "Save and Authorize” - you will be prompted to Authorize enabling SSO, click Authorize. From here you’ll be logged out and should now see the option to log in as Use WorkSpace ONE.
From here you should be authenticated and logged into Productboard.