Azure Active Directory SSO

Using Azure AD allows you to set up a direct link from your Azure AD dashboard to ProdPad. This will allow your users to log in to ProdPad without having to enter a password in ProdPad.

Azure AD ProdPad link supports the following capabilities:

  1. Login from the Azure AD dashboard into ProdPad.
  2. The user can also login to ProdPad using Azure AD from the ProdPad login page.
  3. Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the Azure AD Dashboard, a role will be created for them in your account. The role will have a reviewer type unless SCIM is set up.
  4. For unlimited and enterprise accounts, you can set up SCIM so that users are auto-provisioned and can be fully managed in Azure AD.

The process starts with creating an application within Azure AD and then creating a corresponding integration in ProdPad.

In Azure AD

Follow these steps to create a custom application for Azure in order to set up the connection https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

  1. In the tab "Configure App settings" enter these URLs in the corresponding fields:
    1. Sign On Url (leave blank)
    2. Identifier https://api.prodpad.com/api/v2/sso/saml/metadata
    3. Reply Url https://api.prodpad.com/api/v2/sso/saml/acs
  2. Hit the left arrow to move to the next tab.
  3. In the next tab "Configure single sign-on at ProdPad" copy down the URLs and download the certificate. You'll need these to finish the set up in ProdPad.
  4. Click next and then complete.

Before continuing set up ProdPad authentication to use the Azure AD app.

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select ADFS from the "Add authentication" dropdown.
  3. Copy Into the field "Sign-In URL" in ProdPad, the URL labeled "Issuer URL" that you copied during the setup of SAML 2.0 app in Azure AD.
  4. Copy into the field "ACS Http Endpoint" in ProdPad, the URL labeled "Single Sign On Service Url" that you copied during the setup of SAML 2.0 app in Azure AD.
  5. Copy into the field "Logout URL" in ProdPad, the URL labeled "Single Sign Out Service URL" that you copied during the setup of SAML 2.0 app in Azure AD.
  6. Paste the text of X.509 certificate you downloaded from Azure AD into the X.509 field
  7. Add in your domain.
  8. Click save.
  9. You'll be sent a link via email that you need to click on or paste into your browser in order to verify that the domain is valid. Once that is done the authentication set up will become active and your users can start using Okta to login to ProdPad

Provisioning

Azure AD needs some changes to the default settings in order to get automatic provisioning working with ProdPad:

  • The NameIdentifier Attribute needs to be set to the users email address and no Azure AD name. See this article on how to do that https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization
  • Add an attribute familyname which is the user's family name. Again follow the above articles for details on how to do this.
  • Add an attribute firstname which is the user's first name.
  • Add an attribute ProdpadRole which is set to the value of a user field that indicates the user's role in ProdPad. That value can be "reviewer","editor" or "admin." If the value is missing or not one of the three specified, ProdPad will default to setting the user as "reviewer."

Notes

  • The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn't match it will error.
  • Each user will need to have an email that matches the entered domain otherwise they will get a "Miss-matched email" T error when trying to log in.
  • Setting up On-premise or otherwise hosted Active Directory requires that you are able to create a SAML 2.0 App (Active Directory 3.0+) and enter the above information into that app.

 

Azure AD with Provisioning 

In Azure AD

  1. Click on "Enterprise Apps" in the Azure AD menu.
  2. Click on "Add application not in directory."
  3. Enter "ProdPad" as the application name.
  4. Click on "Single Sign-on" and select "SAML based Sign-on."
  5. In the "Identifier" field input the URL https://api.prodpad.com/api/v2/sso/saml/metadata
  6. In the "Reply URL" field input the URL https://api.prodpad.com/api/v2/sso/saml/acs
  7. In the "User Attributes" section select "user.mail" for "User Identifier" select box.
    Screen_Shot_2017-04-24_at_14.41.20.png
  8. Click on "Advanced attributes" link and then click "Add Attribute". Enter the attribute "familyName" and give it a value of "user.surname" and click "ok."
  9. Click on "Add Attribute" and create an attribute "Role" and set the value to "user.ProdpadRole" or what ever user value holds the value for the user role in ProdPad. Click "ok" to continue.
  10. In the "SAML Signing Certificate" section, click on "Create new Certificate"and then click "Save."
  11. Select the "Make certificate active" and click "Save" in the top bar of the page.
  12. Click on "Configure ProdPad" link.
  13. At the time of the writing of this help document, you'll need to go to the classic Azure portal in order to set up provisioning.
  14. Go to the classic portal and head to your Active Directory. Click on "Applications." 
    applications.png

  15. Click on "ProdPad" in the next tab.

    pp_applications.png
  16. Click on "Configure Account Provisioning" (step 2)
  17. In the modal screen, in the field "Provisioning Endpoint" enter the URL https://api.prodpad.com/api/v2/scim
  18. In ProdPad, go to the API key tab (https://app.prodpad.com/me/apikeys) and copy the API key and then paste that into the Authentication Token field in Azure. 
  19. Click "Next" to proceed.
  20. Click "Start test" and once the test pass (it will say connectivity confirmed) click Next.
  21. Choose your option for the provisioning as 'User' (there is no concept of groups at this time within ProdPad.)

    Screen_Shot_2017-04-24_at_16.06.21.png


  22. Click next and select the check mark to save the provisioning settings.

 

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select ADFS from the "Add authentication" dropdown.
  3. Copy Into the field "Sign-In URL" in ProdPad, the URL labeled "SAML Entity ID" from the configure sign-on window in Azure AD.
  4. Copy into the field "ACS Http Endpoint" in ProdPad, the URL labeled "SAML Single Sign-On Service URL" rom the configure sign-on window in Azure AD.
  5. Copy into the field "Logout URL" in ProdPad, the URL labeled "Sign Out URL" that you copied during the setup of SAML 2.0 app in Azure AD.
  6. Paste the text of X.509 certificate you downloaded from Azure AD into the X.509 field.
  7. Add in your domain.
  8. Click save.
  9. You'll be sent a link via email that you need to click on or paste into your browser in order to verify that the domain is valid. Once that is done the authentication set up will become active and your users can start using Active Directory to login to ProdPad.

Having got the link set up, some additional editing is required in Azure AD in order to get it working. How you do this will probably be dependent on your set up. The primary edit is to provide each user with an attribute ProdpadRole (as an example name) that has a value of "reviewer", "editor" or "admin".

This attribute then needs to be mapped in the attribute mapping to the SCIM/SAML attribute of "role". If no role is defined ProdPad will default to reviewer.

Have more questions? Submit a request

Comments