SAML 2.0 SSO (Advanced)
- Plan: Advanced
Roles and Permissions
- Admins only
To setup SAML based SSO you’ll need to be an admin and be subscribed to either Advanced, Performance or Enterprise packages. This document does assume you are familiar with setting up SAML 2.0 SSO.
Please check your account subscription. The steps in this guide are for Advanced accounts, Performance and Enterprise customers may need to make additional configuration, which can be seen here.
The process starts with creating a SAML 2.0 connector/application within your identity provider and then creating a corresponding integration in ProdPad.
SAML SSO allows you to set up a direct link from your identity provider dashboard to ProdPad, depending on your provider. This will allow users to log in to ProdPad without having to enter a password in ProdPad.
SAML SSO / ProdPad link supports the following capabilities:
- Login from the identity provider dashboard into ProdPad.
- The user can also login to ProdPad if they go to https://app.prodpad.com/ via you identity provider.
- Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless the role attribute is configured.
- For Performance and Enterprise accounts, you can set up SCIM so that users are auto-provisioned. See here for steps to set this up.
- To start go to Account Settings and select the Security tab.
- Now select the SSO/SAML sub-tab.
- Click the "Add authentication type" button and select SAML from the dropdown.
- Keep the modal open (you will need these URLs) and go to your Identity Provider.
- Create a new SAML 2.0 connector.
- In the field relevant to the SP Entity ID, copy & paste the Audience/Identifier URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/metadata).
- In the field relevant to the SAML Audience URL copy & paste the ACS/Reply URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/acs).
- If applicable, in the Single Logout URL field paste the Single Logout URL (https://api.prodpad.com/api/v2/sso/saml/sls).
- In the parameters or claim attributes section of you IdP you will need to map the following:
- an attribute with the name NameID mapped to the value of the user's email.
- an attribute with the name "User.FirstName" mapped to the value of the user's first/given name.
- an attribute with the name "User.LastName" mapped to the value of the user's last/family name.
- If you wish to use Just In Time provisioning for roles in ProdPad, an attribute with the name "User.ProdpadRole" mapped to a custom attribute value which should return either 'admin', 'editor' or 'reviewer' (no value will also default the user to reviewer when provisioned).
- Generate a private & public key and upload the private key to the identity provider as an x.509 certificate.
- If there is a name or label field add "ProdPad".
- If there is a tag field then add "prodpad".
- If there is an option to upload logos so your team can identify this easily, the ProdPad logos are attached at the bottom of this page.
- Save the connector.
- Click the Next button on the SAML modal.
- Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the unique URL that identifies the IdP/SAML connector in the IdP, this may also be called issuer URL/ID.
- Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the audience URL that users should be redirected to when they attempt to login from the login page in ProdPad this will be something like https://sso.idp.com/saml2/prodpad.
- Copy into the field "Logout URL" in ProdPad, the IdP single logout service endpoint.
- Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.
- Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the IdP dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
- If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their dashboard.
- If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.
- Hit save.
To test you can now go to the Identity providers console and click on the ProdPad app icon and you’ll be logged into ProdPad. You can then go to to https://app.prodpad.com/login and enter your email. You’ll then be shown a button to login using your IdP.