Setting up SSO SAML via VMware Workspace ONE


V12 4:24 Ent.svg


This article outlines the steps to set up Single Sign-On (SSO) SAML via VMware Workspace ONE on your Productboard workspace.

Note: Productboard SAML SSO capabilities are limited to just the provisioning of new users and the logging in of existing users. Permissions and deactivation of users are managed in-app.

In this article

Creating a New Saas Application

In Workspace ONE Access Admin Console, select the Catalog tab and then select New.


In the New SaaS Application dialogue, enter a Name (Productboard), a Description, and an Icon and select Next.

Sample Description:

The customer-centric product management platform. Productboard helps product managers understand what customers need, prioritize what to build next, and rally everyone around the roadmap.

The supported icon formats are PNG, JPG, and ICO up to 4 MB. Dimensions supported up to 1024 x 1024 pixels.


In Configuration,  select SAML 2.0 as the Authentication Type and select Manual for the Configuration.


Copy the following values from the SAML Configurations below into the New SaaS Application form:

Application ID/ Identifier (Entry ID) Productboard
Audience URL https://{workspace_name}
Recipient URL https://{workspace_name}
Single Sign On URL https://{workspace_name}
Single Log out URL https://{workspace_name}
Name ID format EmailAddress
Signature Algorithm SHA1 with RSA OR SHA256 with RSA 
Digest Algorithm SHA1 OR SHA256


Note: If the wrong Signature and Digest algorithm is set, you will receive the error below and should try switching to the other Algorithm values.



Select Email Address as the Username Format and username format to be unspecified.



Click Advanced Properties. Check Sign Response, Sign Assertion, and Include Assertion Signature are enabled. Scroll down to the Custom Attribute Mapping section and map the following:

Name Format Value
Email Basic ${}
FirstName Basic
LastName Basic



Once mapped, click Next.

In Access Policies, select the desired Access Policy. In this example, we will use the default and then select Next.


In Summary, simply review the configuration then select Save & Assign.

SAML Metadata and Productboard Setup

From the Catalog tab of the Workspace ONE Access panel, select Settings.


Navigate to SAML Metadata. Copy the contents of the Signing Certificate from Workspace ONE


Open a new tab and log into your Productboard workspace and head to Settings > Enforce SSO and paste the Signing Certificate from Workspace ONE into the Certificate field in Productboard. Keep this tab open.


Head back to Workspace ONE, under the Settings dialogue, click Identity Provider (IdP) metadata under SAML Metadata.


An XML metadata file will be shown. Copy the highlighted sections into Productboard SSO settings.


Table of Values for Productboard SSO settings


Productboard Workspace ONE Property Name
Name Workspace ONE
SSO Endpoint (HTTP:) SingleSignOnService
Certificate Signing Certificate from above
Certificate Fingerprint (optional)
SLO Endpoint (HTTP:) SingleLogoutService (optional)
Audience / Entity ID EntityID (optional)



By hitting Save & Authorizing you are activating and enforcing SSO via Workspace ONE. Ensure you have assigned the users/groups to access Productboard via Workspace ONE, within Workspace ONE as users will only be able to log in via Workspace ONE.


Productboard Roles

In Productboard, there are a number of roles that contain different permission sets. Please work with your Productboard Admin on what users belong to what role. Use a  pb_role custom attribute to specify which level of access a new member should have. Info on roles types can be found here:


  • This step is only for the initial provisioning of new user profiles i.e. creating a user profile in Productboard and setting their role to be Maker Admin / Maker / Contributor / Viewer. Once a profile is created, Maker with admin can update the user's role within the Productboard.
  • If a user already exists in Productboard, Workspace ONE will log them in as expected, but the Productboard role is managed within Productboard.
  • If an employee leaves and is deactivated in Workspace ONE, the profile in Productboard will not be removed or deactivated; it must be manually deactivated via Productboard Settings > Members.

Testing Phase

Having all the details set up on Workspace ONE and Productboard, you can now test. Simply ensure you have assigned yourself to the app in Workspace ONE. If you haven’t done so already, within the Setting page of Productboard > Enforce SSO, click "Save and Authorize” - you will be prompted to Authorize enabling SSO; click Authorize. From here, you’ll be logged out and should now see the option to log in as Use WorkSpace ONE.


From here, you should be authenticated and logged into Productboard.

Was this article helpful?
0 out of 1 found this helpful



Article is closed for comments.

Articles in this section

See more
Our Support hours:
Monday to Friday from 9:00 am - 2:00 am CET. Monday to Friday from 0:00 am - 5:00 pm PST.
Productboard Academy
Become a Productboard expert with self-paced courses, quick tip videos, webinars and more.
Product Makers Community
Connect with product leaders, share and find product jobs, and learn how to approach similar challenges. Come join our Product Makers community.