Okta
← Back to SAML section
-
Availability
- Plan: Any Advanced module
- On a legacy plan? Click here for more info
-
Roles and Permissions
- Admins only
Using Okta allows you to set up a direct link from your Okta dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.
The Okta / ProdPad link supports the following capabilities:
- Login from the Okta dashboard into ProdPad.
- The user can also log in to ProdPad via Okta if they go to https://app.prodpad.com/ .
- Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the Okta dashboard, a role will be created for them in your account. The role will have a reviewer type.
- SCIM is not currently available for our Okta app, please give us your feedback if this is something you are interested in.
Important!
If you currently have another authentication method enabled such as Google or Slack, please disable them prior to installing SAML. For further help, please read our Implementation Checklist.
Part 1 - In ProdPad
- To start, go to Account Settings and select the Security tab.
- Now select the SSO/SAML sub-tab.
- Click the "Add authentication type" button and select Okta from the dropdown list.
- Keep the modal open (you will need these URLs) and go to Okta.
Part 2 - In Okta
- Go to the Applications tab in the Admin view of Okta.
- Click on the "Add application" button and then the "Create New App" button.
- In the modal, select Web and SAML and click on "Create".
- Add "ProdPad" as the name and upload the logo (available at the bottom of the page) and then click "Next".
- On the next page, in the Single sign on URL, copy & paste the ACS/Reply URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/acs)
- In the Audience URI, copy & paste the Audience/Identifier URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/metadata)
- Select the option "emailAddress" from the Name ID format select box.
- Select the option "Email" from the Application username select box.
- In the attributes section add an attribute "User.FirstName" and set the value to "user.firstName"
- Add another attribute "User.LastName" and set the value to "user.lastName"
- Click the green next button.
- Click next again.
- Click the "View setup instructions" option.
Part 3 - In ProdPad
- Click the "Next" button on the Okta modal.
- Copy the URL/value from the field "Identity Provider Issuer" in Okta into the field labelled "IdP Entity ID/URL" in ProdPad.
- Copy the URL in the "Identity Provider Single Sign-On URL" field in Okta into the field "IdP SAML Single Sign-On URL" in ProdPad.
- If applicable, copy the URL in the field "SLO Endpoint" in Okta into the "Logout URL" field in ProdPad.
- Paste the text of X.509 certificate into the X.509 certificate field.
- Now you must decide whether you want your users to log in by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the Okta dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login, you must set up the Domains that your users can login from. You can read more about this here.
- If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their Okta dashboard.
- If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be logging in from. (Note: for a domain to appear as an option here, it must be verified under the Domains tab).
- Hit save.
To test this, you can now go to the Identity Providers console and click on the ProdPad app icon. You'll then be logged into ProdPad. If you have configured for IdP and SP Initiated login, you can also go to https://app.prodpad.com/login and enter your email. You'll then be shown a button to log in using Okta.
Just In Time role provisioning (optional)
If you would like to be able to set a user's role when they are provisioned into ProdPad at login, you can make some further configuration steps. There are two options, either add the role via the app user profile or add the role via the Okta user profile. How you implement them comes down to personal/organizational preference.
Option 1 - Add role via app user profile
To add the role via the app user profile:
First, in Okta, navigate to Directory > Profile Editor:
Search for the ProdPad app, then click ProdPad Profile from the Profile list.
Click Add Attribute.
Then enter the following information:
- Display Name: Enter ProdpadRole.
- Variable Name: Enter ProdpadRole.
If required:
- External Name: ProdpadRole
- External Namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
Click Save:
You can now continue to add the attribute to the SAML app configuration
Option 2 - Add role via Okta user profile
To add the role via the app user profile:
First, in Okta, navigate to Directory > Profile Editor:
Search for the ProdPad app, then click ProdPad Profile from the Profile list.
Click Add Attribute.
Then enter the following information:
- Display Name: Enter ProdpadRole.
- Variable Name: Enter ProdpadRole.
If required:
- External Name: ProdpadRole
- External Namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
Click Save:
Next, you need to set the attribute mappings between Okta Users and the ProdPad Okta app. To do this click Mappings.
Then select the Okta User to ProdPad tab. Scroll to find the ProdpadRole attribute, click into the select list on the left column and select the ProdpadRole option. Then select Apply mapping on user create and update.
Click Save Mappings and then Apply updates now.
Add the attribute to the SAML Application (required for both options)
The last step is to add the attribute to the Application settings. First, find your ProdPad application under Applications.
Then select General, and next to SAML settings click Edit.
Click Next to access the Configure SAML tab and scroll down to 'Attribute Statements (optional)', click Add another and set:
- Name - User.ProdpadRole
- Name format - Unspecified
- Value - user.ProdpadRole
Note: the casing needs to match the above for the correct attributes and values to be picked up.
Now scroll down and click Next, and then Finish.
Now, when you either assign a user to the app or create / edit user's Okta profiles, you can specify the attribute ProdpadRole. The value needs to be either reviewer, editor, or admin (lowercase). If the role is not specified, a user will log into ProdPad as a Reviewer.
Important!
- If you want your users to be able to log in via the ProdPad login page and be directed to Okta to authenticate (AKA SP-initiated login) you will need to verify your email domain and link it to the Okta config in ProdPad account settings
- If you opt to not verify a domain and have your users to login via an Okta dashboard link, any existing users will need to know their basic auth details to satisfy a one time security challenge when they first attempt an Okta login.
Okta SSO is available on the following Legacy plans: |
Modular V1 with Governance Power-up |
Advanced |
Performance |
Enterprise |
ProdPad Logos
You can download the ProdPad logos below:
ProdPad Logo (color)