SAML 2.0
← Back to SAML section
-
Availability
- Plan: Roadmaps Advanced, Ideas Advanced, Feedback Advanced
- On a legacy plan? Click here for more info
-
Roles and Permissions
- Admins only
To setup SAML based SSO you’ll need to be an admin and be subscribed to at least one of our Advanced modules. This document does assume you are familiar with setting up SAML 2.0 SSO.
The process starts with creating a SAML 2.0 connector/application within your identity provider and then creating a corresponding integration in ProdPad.
SAML SSO allows you to set up a direct link from your identity provider dashboard to ProdPad, depending on your provider. This will allow users to log in to ProdPad without having to enter a password in ProdPad.
SAML SSO / ProdPad link supports the following capabilities:
- Login from the identity provider dashboard into ProdPad.
- The user can also login to ProdPad if they go to https://app.prodpad.com/ via your identity provider.
- Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless the role attribute is configured.
- For Advanced modular, Performance and Enterprise accounts, you can set up SCIM so that users are auto-provisioned. See here for steps to set this up.
In ProdPad
- To start go to Account Settings and select the Security tab.
- Now select the SSO/SAML sub-tab.
- Click the "Add authentication type" button and select SAML from the dropdown.
- Keep the modal open (you will need these URLs) and go to your Identity Provider.
In your IdP
- Create a new SAML 2.0 connector.
- In the field relevant to the SP Entity ID, copy & paste the Audience/Identifier URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/metadata).
- In the field relevant to the SAML Audience URL copy & paste the ACS/Reply URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/acs).
- If applicable, in the Single Logout URL field paste the Single Logout URL (https://api.prodpad.com/com/api/v2/sso/saml/sls).
- In the parameters or claim attributes section of you IdP you will need to map the following:
- an attribute with the name NameID mapped to the value of the user's email.
- an attribute with the name "User.FirstName" mapped to the value of the user's first/given name.
- an attribute with the name "User.LastName" mapped to the value of the user's last/family name.
- If you wish to use Just In Time provisioning for roles in ProdPad, an attribute with the name "User.ProdpadRole" mapped to a custom attribute value which should return either 'admin', 'editor' or 'reviewer' (this is optional configuration, if no value is passed in the assertion as a default the user will be provisioned as a reviewer).
- Generate a private & public key and upload the private key to the identity provider as an x.509 certificate.
- If there is a name or label field add "ProdPad".
- If there is an option to upload logos so your team can identify this easily, the ProdPad logos are here.
- Save the connector.
In ProdPad
- Click the Next button on the SAML modal.
- Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the unique URL that identifies the IdP/SAML connector in the IdP, this may also be called Issuer URL/ID.
- Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the audience URL that users should be redirected to when they attempt to login from the login page in ProdPad this will be something like https://sso.idp.com/saml2/prodpad.
- Copy into the field "Logout URL" in ProdPad, the IdP single logout service endpoint.
- Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.
- Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the OneLogin dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
- If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their OneLogin dashboard.
- If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.
- Hit save.
To test you can now go to the Identity providers console and click on the ProdPad app icon and you’ll be logged into ProdPad. You can then go to to https://app.prodpad.com/login and enter your email. You’ll then be shown a button to login using your IdP.
Setting Up Automatic Provisioning
ProdPad supports the automatic provisioning of users from your connected directory via the IdP. The automatic provisioning does the following tasks:
- When a new user is added to the IdP, the user is created in ProdPad assuming the user meets the set up rules within the IdP
- When a user's role is changed in the IdP, the user's role is changed in ProdPad
- If a user is removed from the IdP or user is remove from having access to ProdPad app in the IdP, the user is removed from ProdPad
In order for automatic provisioning to work you'll need to add a SAML attribute called ProdpadRole. The value for this attribute can be one of "reviewer", "editor" or "admin".
You don't need to allow everyone in the company access to ProdPad. Depending on how you IdP works you specify that only users with a specific tag or in a group has access to ProdPad.
Automatic Provisioning is only available for Performance and Enterprise plans.
In the IdP
After following the step above:
- Create a custom field for the users called "ProdpadRole" that will be used to set the user's role in ProdPad - this needs to be mapped to a custom attribute value which should return either 'admin', 'editor' or 'reviewer' (no value will also default the user to reviewer when provisioned).
- Enter the following into the text field SCIM JSON template:
"schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:scim:prodpad:2.0:schema" ], "userName": "{$user.email}", "name": { "familyName": "{$user.lastname}", "givenName": "{$user.firstname}" }, "urn:scim:prodpad:2.0:schema": { "role": "{$parameters.ProdpadRole}" } }
- In ProdPad, go to the API key tab (https://app.prodpad.com/me/apikeys) and copy the API key and paste that into the SCIM Bearer Token field
- Enable the API connection if relevant for your IdP connector
- Enable provisioning if relevant in your IdP
- If you don’t want or need to always manually approve provisioning make sure you change any settings related to Creating, Updating or Deleting Users so those actions don’t require an admin approval but instead happen automatically
- If you want users to be deleted from ProdPad when deleted from your IdP then make sure "Delete" action in the IdP is set to delete the user in the SCIM provisioning
- To control the user’s role in ProdPad using the IdP you’ll need to create a custom user field/attribute/parameter that stores the role. You’ll then need to create a SAML attribute called "ProdpadRole" that is filled with the value from your custom field
Important
If the user previously existed in ProdPad but no longer has a role in your ProdPad account, then the role won't be recreated in your account. This is done to avoid potential security issues. If you encounter any problems with users logging in with SAML, get in touch to resolve the issue.
SAML 2.0 is available on the following legacy plans: |
Performance |
Enterprise |
Any Modular Plan with Governance Power-up |