Microsoft Entra SSO

← Back to SAML section
  • Availability
  • Roles and Permissions
    • Admins only

    • Using Microsoft Entra allows you to set up a direct link from your Microsoft Entra dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.

    Note

    Please check your account subscription. The steps in this guide are for Advanced Modular, Performance and Enterprise plans and accounts with the Governance Power-up,  Advanced plan customers will see slightly different configuration steps, which can be seen  here.

    Microsoft Entra ProdPad link supports the following capabilities:

    • Login from the Microsoft Entra dashboard into ProdPad.
    • The user can also login to ProdPad via Microsoft Entra if they go to https://app.prodpad.com/.
    • Just-In-Time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless the role attribute is configured.
    • For Advanced Modular, Performance and Enterprise accounts, you can set up SCIM so that users are auto-provisioned. See here for steps to set this up.

    Important!

    If you currently have another authentication method enabled such as Google or Slack, please disable them prior to installing SAML. For further help, please refer to our Implementation Check.

    In ProdPad

    1. To start with, go to Account Settings and select the Security tab.
    2. Now select the SSO/SAML sub-tab.
    3. Click the "Add authentication type" button and select Microsoft Entra from the dropdown.
    4. Keep the modal open (you will need these URLs) and go to Microsoft Entra.

    In Microsoft Entra

    1. Click on "Enterprise Apps" in the Microsoft Entra menu.
    2. Click on "Add application"
    3. Click on "Non-Gallery Application"
    4. Enter "ProdPad" as the application name.
    5. Click on "Single Sign-on" and select "SAML based Sign-on."
    6. In the "Identifier (Entity ID)" field input the URL https://api.prodpad.com/api/v2/sso/saml/metadata
    7. In the "Reply URL (Assertion Consumer Service URL)" field input the URL https://api.prodpad.com/api/v2/sso/saml/acs
    8. In the "User Attributes" section select "user.mail" for "User Identifier" select box.
    9. Click on "Advanced attributes" link and then click "Add Attribute". Enter the attribute "User.LastName" and give it a value of "user.surname" and click "ok." Ensure the "Namespace" field is blank.
    10. Click "Add Attribute". Enter the attribute "User.FirstName" and give it a value of "user.givenname" and click "ok." Ensure the "Namespace" field is blank.
    11. If you wish to utilise Just In Time Provisioning, click on "Add Attribute" and create an attribute with the name "User.ProdpadRole" with value "user.assignedroles". See the last section of this guide for more details around setting this up.

    12. For multiple account users, additional configuration is required. We have a separate guide for this that you can read here.
    13. Click "ok" to continue.
    14. Click on "Configure ProdPad" link. This provides you with the URLs which you will need later.
    15. In the "SAML Signing Certificate" section, Microsoft Entra should have created a certificate for you to download. Base64 will allow you to download and open as a text file to obtain the X.509 certificate you will need later.

    In ProdPad

    1. Click the Next button on the Microsoft Entra modal.
    2. Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the URL from the field "Microsoft Entra Identifier" in Microsoft Entra.
    3. Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the URL in the field "Login URL" in Microsoft Entra.
    4. Copy into the field "Logout URL" in ProdPad, the URL in the field "Logout URL" in Microsoft Entra.
    5. Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.

    6. If you have multiple accounts on your ProdPad plan you can select these in the Associate Accounts field - Note: you must be a user in an account before you can associate it to the authentication type.

      Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the Microsoft Entra dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
    7. If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their Microsoft Entra dashboard.
    8. If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will log in from. Note: for a domain to appear as an option here it must be verified under the Domains tab.
    9. Hit save.

    To test this, you can now go to the Identity Providers console and click on the ProdPad app icon. You should then be logged into ProdPad. If you have set up the configuration, you can also go to https://app.prodpad.com/login and enter your email. You'll then be shown a button to log in using Microsoft Entra.

    Microsoft Entra with SCIM Provisioning 

    Once you have created your app in Microsoft Entra you can opt to configure SCIM to auto-provision your user access and authentication in ProdPad

    1. On the side menu for the ProdPad enterprise app, select Provisioning.
    2. Set "Provisioning Mode" to Automatic.
    3. Under "Admin Credentials, in the field "Tenant URL" enter the URL https://api.prodpad.com/api/v2/scim
    4. In ProdPad, go to the API key tab (https://app.prodpad.com/me/apikeys) copy the API key and then paste that into the Authentication Token field in Microsoft Entra.
    5. Click "Test connection" and once the test passes (it will say connectivity confirmed).

    6. In Target Objects select Create, Update and Delete.
    7. In attribute mappings ensure you have the following configuration:

      Microsoft Entra Attribute customappsso Attribute Matching precedence
      userPrincipalName username 1
      Switch([IsSoftDeleted], , "False", "True", "True", "False") active  
      userPrincipalName emails[type eq "work"].value  
      givenName name.givenName  
      surname name.familyName  
           
    8. Now click "Save"
    9. Under "Settings" set "Provisioning Status" to On.
    10. Click "Save".

    Important!

    It should be noted that Microsoft Entra with SCIM Provisioning isn't available on Legacy Advanced plans and Modular plans without the governance powerup.

    Role provisioning in Microsoft Entra

    Microsoft Entra needs some changes to the default settings in order to get role provisioning working with ProdPad.

    Add app roles for the ProdPad enterprise app

    So that Microsoft Entra has the roles available for assignment you need to create the custom role.

    1. Browse to Microsoft Entra / Entra ID >  App registrations and then select the ProdPad application
    2. Under manage select App roles, and then select Create app role.
    3. In the Create app role pane, enter the settings for the role. The values must be lower case i.e. admin, editor, reviewer. 
    4. Select Apply to save your changes.

    You can read more about how to do this here - https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

    Configure the provisioning app to pass over role attributes

    Now you need to edit the provisioning attribute mappings for ProdPad to pass the role in the Create and Update requests.

    1. go to the ProdPad app under Enterprise applications and select Provisioning
    2. Open Edit attribute mappings > Mappings > Provision Microsoft Entra Users
    3. Tick Show advanced options and click Edit attribute list for customappsso
    4. Add a new customappsso Atribute with the following settings
      • Name urn:ietf:params:scim:schemas:extension:prodpad:2.0:User:role
      • Type String
    5. Save
    6. Now go to Attribute Mappings > Add New Mapping
    7. Create an attribute mapping with the following settings: 
      • Mapping type Expression
      • Expression SingleAppRoleAssignment([appRoleAssignments])
      • Target attribute urn:ietf:params:scim:schemas:extension:prodpad:2.0:User:role
      • Match objects using this attribute No
      • Apply this mapping Always
    8. Click OK

    Important!

    We currently do not support Group provisioning, but if this is something you'd like to see as a feature, let us know here

    Azure Active Directory SSO is available on the following legacy plans:
    Performance
    Enterprise
    Any Modular Plan with Governance Power-up
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles