Okta
← Back to SAML section
-
Availability
- Plan: Advanced
-
Roles and Permissions
- Admins only
Using Okta allows you to set up a direct link from your Okta dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.
Note
Please check your account subscription. The steps in this guide are for Advanced accounts, Performance and Enterprise customers may need to make additional configuration, which can be seen here.
The Okta / ProdPad link supports the following capabilities:
- Login from the Okta dashboard into ProdPad.
- The user can also login to ProdPad via Okta if they go to https://app.prodpad.com/ .
- Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the Okta dashboard, a role will be created for them in your account. The role will have a reviewer type.
- For Performance and Enterprise plan customers, please contact us if you wish to have your users auto-provisioned and fully managed in Okta.
Important!
If you currently have another authentication method enabled such as Google or Slack, please disable them prior to installing SAML. For further help, please read our Implementation Checklist.
In ProdPad
- To start go to Account Settings and select the Security tab.
- Now select the SSO/SAML sub-tab.
- Click the "Add authentication type" button and select Okta from the dropdown.
- Keep the modal open (you will need these URLs) and go to Okta.
In Okta
- Go to the Applications tab in the Admin view of Okta.
- Click on the "Add application" button and then the "Create New App" button.
- In the modal select Web and SAML and click on create.
- Add "ProdPad" as the name and upload the logo (available at the bottom of the page) and then hit next.
- On the next page, in the Single sign on URL, copy & paste the ACS/Reply URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/acs)
- In the Audience URI, copy & paste the Audience/Identifier URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/metadata)
- Select the option "emailAddress" from the Name ID format select box.
- Select the option "Email" from the Application username select box.
- In the attributes section add an attribute "User.FirstName" and set the value to "user.firstName"
- Add another attribute "User.LastName" and set the value to "user.lastName"
- Click the green next button.
- Click next again.
- Click the "View setup instructions" option.
In ProdPad
- Click the Next button on the Okta modal.
- Copy the URL/value from the field "Identity Provider Issuer" in Okta into the field labelled "IdP Entity ID/URL" in ProdPad.
- Copy the URL in the "Identity Provider Single Sign-On URL" field in Okta into the field "IdP SAML Single Sign-On URL" in ProdPad.
- If applicable, copy the URL in the field "SLO Endpoint" in Okta into the "Logout URL" field in ProdPad.
- Paste the text of X.509 certificate into the X.509 certificate field.
- Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the Okta dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
- If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their Okta dashboard.
- If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.
- Hit save.
To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. If you have configured for You can also go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using Okta.
Just In Time Provisioning
In Okta, navigate to Directory > Profile Editor:
Search for the prodpad app, then click Profile:
Click Add Attribute, then enter the following information:
- Display Name: Enter ProdpadRole.
- Variable Name: Enter ProdpadRole.
Click Save:
If you check User personal, the ProdpadRole attribute will be available once you assign a single user to the ProdPad app and will not be available once you assign a group to the ProdPad app. For example, in the following screenshot, the User personal Scope was not applied to the ProdpadRole attribute:
Now, when you assign users to the ProdPad app, you can specify the attribute ProdpadRole for a user.The value needs to be either reviewer, editor, or admin (lower case). If the role is not specified a user will log into as a Reviewer.
Important!
- The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn’t match it will error.
- Each user will need to have an email that matches the entered domain otherwise they will get a "Miss-matched email" error when trying to log in.