Azure Active Directory SSO (Advanced)

← Back to SAML section

  • Availability
    • Plan: Advanced
  • Roles and Permissions
    • Admins only

Using Azure AD allows you to set up a direct link from your Azure AD dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.

Note

Please check your account subscription. The steps in this guide are for Advanced accounts, Performance and Enterprise customers may need to make additional configuration, which can be seen here.

Azure AD ProdPad link supports the following capabilities:

  • Login from the Azure AD dashboard into ProdPad.
  • The user can also login to ProdPad via Azure AD if they go to https://app.prodpad.com/ .
  • Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless the role attribute is configured.
  • For Performance and Enterprise accounts, you can set up SCIM so that users are auto-provisioned. See here for steps to set this up.

Important!

If you currently have another authentication method enabled such as Google or Slack, please disable them prior to installing SAML. For further help, please read our Implementation Checklist.

In ProdPad

  1. To start go to Account Settings and select the Security tab.
  2. Now select the SSO/SAML sub-tab.
  3. Click the "Add authentication type" button and select Azure AD from the dropdown.

    Click the "Add authentication type" button and select Azure AD

  4. Keep the modal open (you will need these URLs) and go to Azure AD.

In Azure AD

  1. Click on "Enterprise Apps" in the Azure AD menu.
  2. Click on "Add application"
  3. Click on "Non-Gallery Application"
  4. Enter "ProdPad" as the application name.
  5. Click on "Single Sign-on" and select "SAML based Sign-on."
  6. In the "Identifier (Entity ID)" field input the URL https://api.prodpad.com/api/v2/sso/saml/metadata
  7. In the "Reply URL (Assertion Consumer Service URL)" field input the URL https://api.prodpad.com/api/v2/sso/saml/acs
  8. In the "User Attributes" section select "user.mail" for "User Identifier" select box.
  9. Click on "Advanced attributes" link and then click "Add Attribute". Enter the attribute "User.LastName" and give it a value of "user.surname" and click "ok." Ensure the "Namespace" field is blank.
  10. Click "Add Attribute". Enter the attribute "User.FirstName" and give it a value of "user.givenname" and click "ok." Ensure the "Namespace" field is blank.
  11. If you wish to utilise Just In Time Provisioning, click on "Add Attribute" and create an attribute with the name "User.ProdpadRole" with value "user.assignedroles". Ensure the "Namespace" field is blank. See the last section of this guide for more details around setting this up.

  12. Click "OK" to continue.

  13. Click on "Configure ProdPad" link. This provides you with the URLs which you will need later
  14. In the "SAML Signing Certificate" section, Azure should have created a certificate for you to download. Base64 will allow you to download and open as a text file to obtain the X.509 certificate you will need later.

In ProdPad

  1. Click the Next button on the Azure AD modal.
  2. Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the URL from the field "Azure AD Identifier" in Azure AD.
  3. Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the URL in the field "Login URL" in Azure AD.
  4. Copy into the field "Logout URL" in ProdPad, the URL in the field "Logout URL" in Azure AD.
  5. Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.

  6. Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the Azure AD dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
  7. If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their Azure AD dashboard.
  8. If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.
  9. Hit save.

To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. If you have configured for You can also go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using Azure AD.

Role provisioning in Azure AD

Azure AD needs some changes to the default settings in order to get JIT provisioning working with ProdPad.

For SAML token attributes:

  • The User Identifier Attribute needs to be set to the users email address (i.e user.mail).
  • Add an attribute User.LastName which is the user's family name. 
  • Add an attribute User.FirstName which is the user's first name.

You can read about how to do this here - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

In the application manifest:

  • How you achieve this is up to you, whether by group or direct assignment. Once done this will allow the SAML Token attribute value user.assignedroles to resolve to the value of the users roles set for the ProdPad enterprise application in Azure AD (i.e. "reviewer","editor" or "admin.") If the value is missing or not one of the three specified, ProdPad will default to setting the user as "reviewer."

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us