Setting up SSO SAML via VMware Workspace ONE

V12 4:24 Ent.svg

 

This article outlines the steps to set up Single Sign-On (SSO) SAML via VMware Workspace ONE on your Productboard workspace.

Note: Productboard SAML SSO capabilities are limited to just the provisioning of new users and the logging in of existing users. Permissions and deactivation of users are managed in-app.

In this article:

Relevant to both new and legacy boards

Creating a New Saas Application

In Workspace ONE Access Admin Console, select the Catalog tab and then select New.

access1.png

In the New SaaS Application dialogue, enter a Name (Productboard), a Description, and an Icon and select Next.

Sample Description:

The customer-centric product management platform. Productboard helps product managers understand what customers need, prioritize what to build next, and rally everyone around the roadmap.

The supported icon formats are PNG, JPG, and ICO up to 4 MB. Dimensions supported up to 1024 x 1024 pixels.

pasted_image_0.png

In Configuration,  select SAML 2.0 as the Authentication Type and select Manual for the Configuration.

pasted_image_0__1_.png

Copy the following values from the SAML Configurations below into the New SaaS Application form:

Application ID/ Identifier (Entry ID) Productboard
Audience URL https://{workspace_name}.productboard.com/
Recipient URL https://{workspace_name}.productboard.com/users/auth/saml/callback
Single Sign On URL https://{workspace_name}.productboard.com/users/auth/saml/callback
Single Log out URL https://{workspace_name}.productboard.com/users/auth/saml/slo
Name ID format EmailAddress
Signature Algorithm SHA1 with RSA OR SHA256 with RSA 
Digest Algorithm SHA1 OR SHA256

 

Note: If the wrong Signature and Digest algorithm is set, you will receive the error below and should try switching to the other Algorithm values.
Untitled__11_.png

 

pasted_image_0__2_.png

Select Email Address as the Username Format and username format to be unspecified.

pasted_image_0__3_.png

pasted_image_0__4_.png

Click Advanced Properties. Check Sign Response, Sign Assertion, and Include Assertion Signature are enabled. Scroll down to the Custom Attribute Mapping section and map the following:

Name Format Value
Email Basic ${user.email}
FirstName Basic
${user.firstName}
LastName Basic
${user.lastName}

 

pasted_image_0__5_.png

Once mapped, click Next.

In Access Policies, select the desired Access Policy. In this example, we will use the default and then select Next.

pasted_image_0__6_.png

In Summary, simply review the configuration then select Save & Assign.

SAML Metadata and Productboard Setup

From the Catalog tab of the Workspace ONE Access panel, select Settings.

pasted_image_0__7_.png

Navigate to SAML Metadata. Copy the contents of the Signing Certificate from Workspace ONE

pasted_image_0__8_.png

Open a new tab and log into your Productboard workspace and head to Settings > Enforce SSO and paste the Signing Certificate from Workspace ONE into the Certificate field in Productboard. Keep this tab open.

pasted_image_0__9_.png

Head back to Workspace ONE, under the Settings dialogue, click Identity Provider (IdP) metadata under SAML Metadata.

Untitled__1_.png

An XML metadata file will be shown. Copy the highlighted sections into Productboard SSO settings.

pasted_image_0__10_.png

Table of Values for Productboard SSO settings

 

Productboard Workspace ONE Property Name
Name Workspace ONE
SSO Endpoint (HTTP:) SingleSignOnService
Certificate Signing Certificate from above
Certificate Fingerprint (optional)
SLO Endpoint (HTTP:) SingleLogoutService (optional)
Audience / Entity ID EntityID (optional)

 

Note

By hitting Save & Authorizing you are activating and enforcing SSO via Workspace ONE. Ensure you have assigned the users/groups to access Productboard via Workspace ONE, within Workspace ONE as users will only be able to log in via Workspace ONE.

 

Productboard Roles

In Productboard, there are a number of roles that contain different permission sets. Please work with your Productboard Admin on what users belong to what role. Use a  pb_role custom attribute to specify which level of access a new member should have. Info on roles types can be found here:

pasted_image_0__11_.png

  • This step is only for the initial provisioning of new user profiles i.e. creating a user profile in Productboard and setting their role to be Maker Admin / Maker / Contributor / Viewer. Once a profile is created, Maker with admin can update the user's role within the Productboard.
  • If a user already exists in Productboard, Workspace ONE will log them in as expected, but the Productboard role is managed within Productboard.
  • If an employee leaves and is deactivated in Workspace ONE, the profile in Productboard will not be removed or deactivated; it must be manually deactivated via Productboard Settings > Members.

Testing Phase

Having all the details set up on Workspace ONE and Productboard, you can now test. Simply ensure you have assigned yourself to the app in Workspace ONE. If you haven’t done so already, within the Setting page of Productboard > Enforce SSO, click "Save and Authorize” - you will be prompted to Authorize enabling SSO; click Authorize. From here, you’ll be logged out and should now see the option to log in as Use WorkSpace ONE.

pasted_image_0__12_.png

From here, you should be authenticated and logged into Productboard.

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more
Our Support hours:
Monday to Friday from 9:00 am - 2:00 am CET. Monday to Friday from 0:00 am - 5:00 pm PST.
Productboard Academy
Become a Productboard expert with self-paced courses, quick tip videos, webinars and more.
Product Makers Community
Connect with product leaders, share and find product jobs, and learn how to approach similar challenges. Come join our Product Makers community.