Microsoft Entra SSO (Advanced)
← Back to SAML section
-
Availability
- Plan: Advanced
-
Roles and Permissions
- Admins only
Using Microsoft Entra (formally known as Azure Active Directory) allows you to set up a direct link from your Microsoft Entra dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.
Note
Please check your account subscription. The steps in this guide are for Advanced accounts, Performance and Enterprise customers may need to make additional configuration, which can be seen here.
Microsoft Entra ProdPad link supports the following capabilities:
- Login from the Microsoft Entra dashboard into ProdPad.
- The user can also login to ProdPad via Microsoft Entra if they go to https://app.prodpad.com/ .
- Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless the role attribute is configured.
- For Performance and Enterprise accounts, you can set up SCIM so that users are auto-provisioned. See here for steps to set this up.
Important!
If you currently have another authentication method enabled such as Google or Slack, please disable them prior to installing SAML. For further help, please read our Implementation Checklist.
In ProdPad
- To start go to Account Settings and select the Security tab.
- Now select the SSO/SAML sub-tab.
- Click the "Add authentication type" button and select Microsoft Entra from the dropdown.
- Keep the modal open (you will need these URLs) and go to Microsoft Entra.
In Microsoft Entra
- Click on "Enterprise Apps" in the Microsoft Entra menu.
- Click on "Add application"
- Click on "Non-Gallery Application"
- Enter "ProdPad" as the application name.
- Click on "Single Sign-on" and select "SAML based Sign-on."
- In the "Identifier (Entity ID)" field input the URL https://api.prodpad.com/api/v2/sso/saml/metadata
- In the "Reply URL (Assertion Consumer Service URL)" field input the URL https://api.prodpad.com/api/v2/sso/saml/acs
- In the "User Attributes" section select "user.mail" for "User Identifier" select box.
- Click on "Advanced attributes" link and then click "Add Attribute". Enter the attribute "User.LastName" and give it a value of "user.surname" and click "ok." Ensure the "Namespace" field is blank.
- Click "Add Attribute". Enter the attribute "User.FirstName" and give it a value of "user.givenname" and click "ok." Ensure the "Namespace" field is blank.
- If you wish to utilise Just In Time Provisioning, click on "Add Attribute" and create an attribute with the name "User.ProdpadRole" with value "user.assignedroles". Ensure the "Namespace" field is blank. See the last section of this guide for more details around setting this up.
-
Click "OK" to continue.
- Click on "Configure ProdPad" link. This provides you with the URLs which you will need later
- In the "SAML Signing Certificate" section, Microsoft Entra should have created a certificate for you to download. Base64 will allow you to download and open as a text file to obtain the X.509 certificate you will need later.
In ProdPad
- Click the Next button on the Microsoft Entra modal.
- Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the URL from the field "Microsoft Entra Identifier" in Microsoft Entra.
- Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the URL in the field "Login URL" in Microsoft Entra.
- Copy into the field "Logout URL" in ProdPad, the URL in the field "Logout URL" in Microsoft Entra.
- Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.
- Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the Microsoft Entra dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
- If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their Microsoft Entra dashboard.
- If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.
- Hit save.
To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. If you have configured for You can also go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using Microsoft Entra.
Role provisioning in Microsoft Entra
Microsoft Entra needs some changes to the default settings in order to get JIT provisioning working with ProdPad.
For SAML token attributes:
- The User Identifier Attribute needs to be set to the users email address (i.e user.mail).
- Add an attribute User.LastName which is the user's family name.
- Add an attribute User.FirstName which is the user's first name.
You can read about how to do this here - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization
In the application manifest:
- You will need to update the ProdPad application manifest to include new roles for admin, editor and reviewer under "approles". You can read about how to do this here - https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
- How you achieve this is up to you, whether by group or direct assignment. Once done this will allow the SAML Token attribute value user.assignedroles to resolve to the value of the users roles set for the ProdPad enterprise application in Microsoft Entra (i.e. "reviewer","editor" or "admin.") If the value is missing or not one of the three specified, ProdPad will default to setting the user as "reviewer."