OneLogin SSO

Using OneLogin allows you to set up a direct link from your OneLogin dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.

OneLogin ProdPad link supports the following capabilities:

  1. Login from the OneLogin dashboard into ProdPad.
  2. The user can also login to ProdPad if they go to https://app.prodpad.com/ via OneLogin.
  3. Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless SCIM is set up.
  4. For unlimited accounts, you can set up SCIM so that users are auto-provisioned. See the help guide on OneLogin SCIM set up.

The process starts with creating an application within OneLogin and then creating a corresponding integration in ProdPad.

In OneLogin

  1. Create a new SAML 2.0 connector
  2. On the Info tab enter a name (we suggest ProdPad) and upload the ProdPad logos (attached below) to make it easy for your users to recognise the app in their dashboard. Click Save to continue.
  3. Click on the Configuration menu option Config_Tab_OneLogin.png
  4. In the "Audience" field enter https://api.prodpad.com/api/v2/sso/saml/metadata
  5. In the "Recipient" field enter https://api.prodpad.com/api/v2/sso/saml/acs
  6. In the "ACS (Consumer) URL Validator" field enter https://api.prodpad.com/api/v2/sso/saml/acs
  7. In the "ACS (Consumer) URL" field enter https://api.prodpad.com/api/v2/sso/saml/acs
  8. In the "Single Logout URL" field enter https://api.prodpad.com/com/api/v2/sso/saml/sls
  9. Click "Save" in the top right hand corner
  10. Open the "Parameters" tab and make sure that NameId (fka email) is set to email 
    Screen_Shot_2017-04-18_at_21.17.12.png
  11. Still on the "Parameters" tab click on the "add parameter" link
  12. Enter "User.FirstName" and select the checkbox "Include in SAML assertion" 
    new_field.png


  13. Click on the parameter row in the parameter table.
    parameters2.png
  14. Select the option "First Name" from the dropdown for "Value" and press save. The parameter table should now look like this:
    custom_save.png

  15. Repeat steps 4 to 7 but this time instead of "User.FirstName" create a parameter named "User.LastName" and associate the value "Last Name" to the parameter.
  16. Repeat steps 4 to 7 but this time instead of "User.FirstName" create a parameter named "User.ProdpadRole" and associate the value of the user field to the parameter. For example, you can create a custom user field called "ProdPad Role" and associate this custom user field to the "User.ProdpadRole" parameter.
  17. Click on the SSO tab and if you haven't already associate a X.509 certificate to the SAML connector
  18. Save the app

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select OneLogin from the "Add authentication service" dropdown.
  3. Open the OneLogin ProdPad app and go to the SSO tab.
  4. Copy Into the field "Sign-In URL" in ProdPad, the URL from the field "Issuer URL" in OneLogin
  5. Copy into the field "ACS Http Endpoint" in ProdPad, the URL in the field "SAML 2.0 Endpoint" in OneLogin
  6. Copy into the field "Logout URL" in ProdPad, the URL in the field "SLO Endpoint" in OneLogin
  7. Paste the text of X.509 certificate (public key generated above) into the X.509 field
  8. Enter a domain that will be used. This needs to match your domain of your email. We'll send you an email to confirm ownership of the email.
  9. Hit save
  10. Click on the link in the email sent to finish the process of setting up the SSO

To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. You can then go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using your IdP.

Notes

  • The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn't match it will error.
  • Each user will need to have an email that matches the entered domain otherwise they will get a "Miss-matched email" error when trying to log in.
  • User.ProdpadRole value can only be one of these three "reviewer", "editor" or "admin". If the value is missing or is anything else ProdPad will default to the role of "reviewer" when the user is created in ProdPad.

Setting up OneLogin with SCIM

ProdPad supports the automatic provisioning of users from your connected directory via OneLogin. The automatic provisioning does the following tasks:

  • When a new user is added to OneLogin, the user is created in ProdPad assuming the user meets the set up rules within the OneLogin
  • When a user's role is changed in the OneLogin, the user's role is changed in ProdPad
  • If a user is removed from the OneLogin or user is remove from having access to ProdPad app in the OneLogin, the user is removed from ProdPad

In order for automatic provisioning to work you'll need to add a SAML attribute called User.ProdpadRole. The value for this attribute can be one of "reviewer", "editor" or "admin".

You don't need to allow everyone in the company access to ProdPad. Depending on how you IdP works you specify that only users with a specific tag or in a group has access to ProdPad.

Automatic Provisioning is only available for Unlimited and Enterprise plans.

In OneLogin

  1. Select the "SCIM Provisioner with SAML (Enterprise Schema)" from Apps > Add apps list 

    SCIM.png
  2. Enter a name (we suggest ProdPad), upload the logos the logos attached at the bottom of the page so you can recognize it later.
  3. Click on the configuration tab and enter the following URLs into the respective fields:
    1. SAML Audience URL: https://api.prodpad.com/api/v2/sso/saml/metadata
    2. SAML Consumer URL: https://api.prodpad.com/api/v2/sso/saml/acs
    3. SCIM Base URL: https://api.prodpad.com/api/v2/scim
  4. Enter the following into the text field SCIM JSON template:

{    
"schemas": [        
"urn:ietf:params:scim:schemas:core:2.0:User",
       "urn:scim:prodpad:2.0:schema"    
],    
"userName": "{$user.email}",    
"name": {        
"familyName": "{$user.lastname}",        
"givenName": "{$user.firstname}"
   },    
"urn:scim:prodpad:2.0:schema": {        
"role": "{$parameters.ProdpadRole}"    
}
}

  1. In ProdPad, go to the API key tab (https://app.prodpad.com/me/apikeys) and copy the API key and then paste that into the SCIM Bearer Token field in OneLogin
    Screen_Shot_2017-05-19_at_14.13.07.png


  2. Enable the API connection by clicking the enable button.
  3. Click the save link in the top right.
  4. Click on the "Provisioning" tab.
  5. Click on the checkbox "Enable provisioning for SCIM Provisioner with SAML."
  6. Uncheck "Create user", "Delete user" and "Update user" if you don't want or need to always manually approve provisioning. Unchecking means those actions will happen automatically. 
    Screen_Shot_2017-05-19_at_14.13.49.png

  7. If you want users to be deleted from ProdPad when deleted in OneLogin, select "Delete" from the dropdown menu.
  8. Click save in the top right corner.
  9. Open the "Parameters" tab and make sure that NameId (fka email) is set to email :
  10. Make sure that SAML NameID (subject) and SCIM Username are both set to EmailScreen_Shot_2017-05-19_at_14.14.02.png
  11. Still on the parameters tab click "Add parameter"
  12. In the modal box enter "User.FirstName" and select the two checkboxes
  13. Click save and then click on the parameter "User.FirstName" in the table
  14. Select from the dropdown "First Name"
  15. Click save and the table should now show the mapping between the parameter and the user field
  16. Repeat steps 11 to 15 to create a parameter called "User.LastName" and set the value to the user's last name
  17. Repeat steps 11 to 15 to create a parameter called "User.ProdpadROle" and set the value to the custom field that contains the user's ProdPad role
  18. Click save in the top right corner 

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select OneLogin from the "Add authentication service" dropdown.
  3. Open the OneLogin ProdPad app and go to the SSO tab.
  4. Copy Into the field "Sign-In URL" in ProdPad, the URL from the field "Issuer URL" in OneLogin
  5. Copy into the field "ACS Http Endpoint" in ProdPad, the URL in the field "SAML 2.0 Endpoint" in OneLogin
  6. Copy into the field "Logout URL" in ProdPad, the URL in the field "SLO Endpoint" in OneLogin
  7. Paste the text of X.509 certificate (public key generated above) into the X.509 field
  8. Enter a domain that will be used. This needs to match your domain of your email. We'll send you an email to confirm ownership of the email.
  9. Hit save
  10. Click on the link in the email sent to finish the process of setting up the SSO

 

Notes

  • The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn't match it will error
  • Each user will need to have an email that matches the entered domain otherwise they will get a "Mis-matched email" error when trying to log in
  • The only valid values for the ProdpadRole parameter are "reviewer","editor" and "admin". If nothing is entered or something other than those 3 values are used then the person's role in ProdPad will be defaulted to "reviewer"
  • Once the app is setup it will check users against the users in ProdPad and if the emails match OneLogin will automatically update the user's role in ProdPad with the appropriate information so the user can immediately start using OneLogin to login to ProdPad

If the user already exists in ProdPad but doesn't have a role in your ProdPad account, then the role won't be updated or a role created in your account. This is done to avoid potential security issues. If a user already has a role with another account in ProdPad, get in touch to resolve the issue. 

Have more questions? Submit a request

Comments

Powered by Zendesk