SSO

Okta SSO

Using Okta allows you to set up a direct link from your Okta dashboard to ProdPad. This will allow your users to log in to ProdPad without having to enter a password in ProdPad.

Okta ProdPad link supports the following capabilities:

  1. Login from the Okta dashboard into ProdPad
  2. The user can also login to ProdPad using Okta from the ProdPad login page
  3. Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the Okta dashboard, a role will be created for them in your account. The role will have a reviewer type unless SCIM is set up.
  4. For Performance and Enterprise plan customers, please contact us if you wish to have your users auto-provisioned and fully managed in Okta.

The process starts with creating an application within Okta and then creating a corresponding integration in ProdPad.

In Okta

  1. Go to the Applications tab in the Admin view of Okta.
  2. Click on the "Add application" button and then the "Create New App" button.
  3. In the modal select Web and SAML and click on create.
  4. Add "ProdPad" as the name and upload the logo (available at the bottom of the page) and then hit next.
  5. On the next page enter the URL https://api.prodpad.com/api/v2/sso/saml/acs into the Single sign on URL field.
  6. In the Audience URI enter https://api.prodpad.com/api/v2/sso/saml/metadata
  7. Select the option "EmailAddress" from the Name ID format select box.
  8. Select the option "Email" from the Application username select box.
  9. In the attributes section add an attribute "User.FirstName" and set the value to "user.firstName"
  10. Add another attribute "User.LastName" and set the value to "user.lastName"
  11. Click the green next button.
  12. Click next again.
  13. Click the "View setup instructions" option.

Almost there - now let's set things up in ProdPad!

In ProdPad

  1. To start go to Account Settings and select the Authentication tab.
  2. Select SAML 2.0 from the "Add authentication" dropdown
  3. Copy Into the field "Sign-In URL" in ProdPad, the URL from the field "Identity Provider Issuer" from the Okta setup instructions page.
  4. Copy into the field "ACS Http Endpoint" in ProdPad, the URL in the field "Identity Provider Single Sign-On URL" from the Okta setup instructions page.
  5. Leave the "Logout URL" field blank.
  6. Paste the text of X.509 certificate into the X.509 field.
  7. Add in your domain
  8. Click save
  9. You’ll be sent a link via email that you need to click on or paste into your browser in order to verify that the domain is valid. Once that is done the authentication set up will become active and your users can start using Okta to login to ProdPad

Just In Time Provisioning 

In Okta, navigate to Directory > Profile Editor:

Search for the prodpad app, then click Profile:

Click Add Attribute, then enter the following information:

  • Display Name: Enter ProdpadRole.

  • Variable Name: Enter ProdpadRole.

Click Save:

If you check User personal, the ProdpadRole attribute will be available once you assign a single user to the ProdPad app and will not be available once you assign a group to the ProdPad app. For example, in the following screenshot, the User personal Scope was not applied to the ProdpadRole attribute:

 prodpad_d.png

Now, when you assign users to the ProdPad app, you can specify the attribute ProdpadRole for a user.The value needs to be either reviewereditor, or admin (lower case). If the role is not specified a user will log into as a Reviewer.

prodpad_e.png

Important!

  • The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn’t match it will error.
  • Each user will need to have an email that matches the entered domain otherwise they will get a "Miss-matched email" error when trying to log in.

Comments