SSO

Azure Active Directory SSO

Using Azure AD allows you to set up a direct link from your Azure AD dashboard to ProdPad. This will allow your users to log in to ProdPad without having to enter a password in ProdPad.

Azure AD ProdPad link supports the following capabilities:

  1. Login from the Azure AD dashboard into ProdPad.
  2. The user can also login to ProdPad using Azure AD from the ProdPad login page.
  3. Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the Azure AD Dashboard, a role will be created for them in your account. The role will have a reviewer type unless SCIM is set up.
  4. For Performance and Enterprise accounts, you need to set up SCIM provisioning so that users are auto-provisioned and can be fully managed in Azure AD, if SSO is activated without provisioning set up your users may find their roles will change on their next login

The process starts with creating an application within Azure AD and then creating a corresponding integration in ProdPad.

In Azure AD

Follow these steps to create a custom application for Azure in order to set up the connection https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

  1. In the tab "Configure App settings" enter these URLs in the corresponding fields:
    1. Sign On Url (leave blank)
    2. Identifier https://api.prodpad.com/api/v2/sso/saml/metadata
    3. Reply Url https://api.prodpad.com/api/v2/sso/saml/acs
  2. Hit the left arrow to move to the next tab.
  3. In the next tab "Configure single sign-on at ProdPad" copy down the URLs and download the certificate. You'll need these to finish the set up in ProdPad.
  4. Click next and then complete.

Before continuing set up ProdPad authentication to use the Azure AD app.

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select ADFS from the "Add authentication" dropdown.
  3. Copy Into the field "Sign-In URL" in ProdPad, the URL labeled "SAML Entitiy ID" that you copied during the setup of SAML 2.0 app in Azure AD.
  4. Copy into the field "ACS Http Endpoint" in ProdPad, the URL labeled "SAML Single Sign-On Service URL" that you copied during the setup of SAML 2.0 app in Azure AD.
  5. Copy into the field "Logout URL" in ProdPad, the URL labeled "Single Sign Out Service URL" that you copied during the setup of SAML 2.0 app in Azure AD.
  6. Paste the text of X.509 certificate you downloaded from Azure AD into the X.509 field
  7. Add in your domain.
  8. Click save.
  9. You'll be sent a link via email that you need to click on or paste into your browser in order to verify that the domain is valid. Once that is done the authentication set up will become active and your users can start using Azure SSO to login to ProdPad

Important!

  • The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn't match it will error.
  • Each user will need to have an email that matches the entered domain otherwise they will get a "Miss-matched email" T error when trying to log in.
  • Setting up On-premise or otherwise hosted Active Directory requires that you are able to create a SAML 2.0 App (Active Directory 3.0+) and enter the above information into that app.
  • If you are a Performance or Enterprise customer you must continue with the steps below to to enable Provisioning.

Provisioning

Azure AD needs some changes to the default settings in order to get automatic provisioning working with ProdPad.

For SAML token attributes:

  • The User Identifier Attribute needs to be set to the users email address (i.e user.mail)
  • Add an attribute familyname which is the user's family name. 
  • Add an attribute firstname which is the user's first name.

You can read about how to do this here - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

In the application manifest:

_a3571ad0607a6cba0a67ea3df0548d4c__Image_2019-02-08_at_5.55.21_pm.png

  • How you achieve this is up to you, whether by group or direct assignment. Once done this will allow the SAML Token attribute value user.assignedroles to resolve to the value of the users roles set for the ProdPad enterprise application in Azure AD (i.e. "reviewer","editor" or "admin.") If the value is missing or not one of the three specified, ProdPad will default to setting the user as "reviewer."

Azure AD with Provisioning 

In Azure AD

  1. Click on "Enterprise Apps" in the Azure AD menu.
  2. Click on "Add application"
  3. Click on "Non-Gallery Application"
  4. Enter "ProdPad" as the application name.
  5. Click on "Single Sign-on" and select "SAML based Sign-on."
  6. In the "Identifier (Entity ID)" field input the URL https://api.prodpad.com/api/v2/sso/saml/metadata
  7. In the "Reply URL (Assertion Consumer Service URL)" field input the URL https://api.prodpad.com/api/v2/sso/saml/acs
  8. In the "User Attributes" section select "user.mail" for "User Identifier" select box.
  9. Click on "Advanced attributes" link and then click "Add Attribute". Enter the attribute "familyname" and give it a value of "user.surname" and click "ok."
  10. click "Add Attribute". Enter the attribute "firstname" and give it a value of "user.givenname" and click "ok."
  11. Click on "Add Attribute" and create an attribute with the name "User.ProdpadRole" with value "user.assignedroles". Click "ok" to continue.Image_2019-02-08_at_3.46.06_pm.png 
  12. In the "SAML Signing Certificate" section, Azure should have created a certificate for you to download. Base64 will allow you to download and open as a text file to obtain the X.509 certificate you will need later.
  13. Click on "Configure ProdPad" link. This provides you with the URLs which you will need later
  14. On the side menu for the ProdPad enterprise app, select Provisioning
  15. Set "Provisioning Mode" to Automatic
  16. Under "Admin Credentials, in the field "Tenant URL" enter the URL https://api.prodpad.com/api/v2/scim
  17. In ProdPad, go to the API key tab (https://app.prodpad.com/me/apikeys) and copy the API key and then paste that into the Authentication Token field in Azure._c338b1486285ce562171250fa383eb6a__Image_2019-02-08_at_5.30.45_pm.png
  18. Click "Test connection" and once the test pass (it will say connectivity confirmed).
  19. Now click "Save"
  20. Under "Settings" set "Provisioning Status" to OnImage_2019-02-08_at_5.36.50_pm.png
  21. Click "Save".

 

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select ADFS from the "Add authentication" dropdown.
  3. Copy Into the field "Sign-In URL" in ProdPad, the URL labeled "SAML Entity ID" from the configure sign-on window in Azure AD.
  4. Copy into the field "ACS Http Endpoint" in ProdPad, the URL labeled "SAML Single Sign-On Service URL" rom the configure sign-on window in Azure AD.
  5. Copy into the field "Logout URL" in ProdPad, the URL labeled "Sign Out URL" that you copied during the setup of SAML 2.0 app in Azure AD.
  6. Paste the text of X.509 certificate you downloaded from Azure AD into the X.509 field.
  7. Add in your domain.
  8. Click save.
  9. You'll be sent a link via email that you need to click on or paste into your browser in order to verify that the domain is valid. Once that is done the authentication set up will become active and your users can start using Active Directory to login to ProdPad.

 

Comments