Access & Authentication

OneLogin (Performance and Enterprise)

Using OneLogin allows you to set up a direct link from your OneLogin dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.

Note

Please check your account subscription. The steps in this guide are for Performance and Enterprise accounts,  Advanced plan customers will see slightly different configuration steps, which can be seen here.

OneLogin ProdPad link supports the following capabilities:

  • Login from the OneLogin dashboard into ProdPad.
  • The user can also login to ProdPad if they go to https://app.prodpad.com/ via OneLogin.
  • Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless SCIM is set up.
  • For Performance and Enterprise accounts, you can set up SCIM so that users are auto-provisioned. Scroll down to the next section for SCIM set up steps.

Important!

If you currently have another authentication method enabled such as Google or Slack, please disable them prior to installing SAML.

In ProdPad

  1. To start go to Account Settings and select the Security tab.
  2. Now select the SSO/SAML sub-tab.
  3. Click the "Add authentication type" button and select OneLogin from the dropdown.Screen_Recording_2020-05-05_at_05.33_pm.gif
  4. Keep the modal open (you will need these URLs) and go to Onelogin.

In OneLogin

  1. Create a new SAML 2.0 connector.
  2. On the Info tab enter a name (we suggest ProdPad) and upload the ProdPad logos (attached below) to make it easy for your users to recognise the app in their dashboard. Click Save to continue.
  3. In the "SAML Audience URL" field paste the Audience/Identifier URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/metadata)
  4. In the "SAML Consumer URL" field paste the ACS/Reply URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/acs)
  5. If applicable, in the "Single Logout URL" field paste the Single Logout URL (https://api.prodpad.com/com/api/v2/sso/saml/sls)
  6. Click "Save" in the top right hand corner.
  7. Open the "Parameters" tab and make sure that NameID is set to email.
    Screen_Shot_2017-04-18_at_21.17.12.png
  8. Still on the "Parameters" tab click on the "add parameter" link.
  9. Enter "User.FirstName" and select the checkbox "Include in SAML assertion".
    new_field.png
  10. Click on the parameter row in the parameter table.
    parameters2.png
  11. Select the option "First Name" from the dropdown for "Value" and press save. The parameter table should now look like this:
    custom_save.png
  12. Repeat steps 12 to 14 but this time instead of "User.FirstName" create a parameter named "User.LastName" and associate the value "Last Name" to the parameter.
  13. If you wish to utilise Just In Time provisioning for user roles, repeat steps 12 to 14 but this time instead of "User.FirstName" create a parameter named "User.ProdpadRole" and associate the value of the user field to the parameter. For example, you can create a custom user field called "ProdPad Role" and associate this custom user field to the "User.ProdpadRole" parameter. The values for this field should be either 'admin', 'editor' or 'reviewer', if no value is passed over or if the value is incorrect new users will be created as 'reviewer by default.
  14. Click on the SSO tab and if you haven't already associate a X.509 certificate to the SAML connector.
  15. Save the app.
  16. Open the SSO tab and now return to ProdPad.

In ProdPad

  1. Click the Next button on the OneLogin modal.
  2. Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the URL from the field "Issuer URL" in OneLogin.
  3. Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the URL in the field "SAML 2.0 Endpoint" in OneLogin.
  4. Copy into the field "Logout URL" in ProdPad, the URL in the field "SLO Endpoint" in OneLogin.
  5. Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.Image_2020-05-01_at_3.35.48_pm.png
  6. If you have multiple accounts on your ProdPad plan you can select these in the Associate Accounts field - Note: you must be a user in an account before you can associate it to the authentication type.Image_2020-05-01_at_5.17.31_pm.png
  7. Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the OneLogin dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
  8. If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their OneLogin dashboard.
  9. If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.Image_2020-05-01_at_5.33.21_pm.png
  10. Hit save.

To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. If you have configured for You can also go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using OneLogin.

Setting up OneLogin with SCIM

ProdPad supports the automatic provisioning of users from your connected directory via OneLogin. The automatic provisioning does the following tasks:

  • When a new user is added to OneLogin, the user is created in ProdPad assuming the user meets the set up rules within the OneLogin.
  • When a user's role is changed in the OneLogin, the user's role is changed in ProdPad.
  • If a user is removed from the OneLogin or user is remove from having access to ProdPad app in the OneLogin, the user is removed from ProdPad.

In order for automatic provisioning to work you'll need to add a SAML attribute called ProdpadRole. The value for this attribute can be one of "reviewer", "editor" or "admin".

You don't need to allow everyone in the company access to ProdPad. Depending on how you IdP works you specify that only users with a specific tag or in a group has access to ProdPad.

Automatic Provisioning is only available for Performance and Enterprise plans.

In ProdPad

  1. To start go to Account Settings and select the Security tab.
  2. Now select the SSO/SAML sub-tab.
  3. Click the "Add authentication type" button and select OneLogin from the dropdown.Screen_Recording_2020-05-01_at_03.11_pm.gif
  4. Keep the modal open (you will need these URLs) and go to OneLogin.

In OneLogin

  1. Create a custom user field called ProdpadRole. This will be used to set the user's role in ProdPad using SCIM.
  2. Select the "SCIM Provisioner with SAML (Enterprise Schema)" from Apps > Add apps list. 

    SCIM.png
  3. Enter a name (we suggest ProdPad), upload the logos the logos attached at the bottom of the page so you can recognize it later.
  4. Click on the configuration tab and enter the following URLs into the respective fields:
  5. SAML Audience URL: https://api.prodpad.com/api/v2/sso/saml/metadata
  6. SAML Consumer URL: https://api.prodpad.com/api/v2/sso/saml/acs
  7. SCIM Base URL: https://api.prodpad.com/api/v2/scim
  8. Enter the following into the text field SCIM JSON template:

    {    
    "schemas": [        
    "urn:ietf:params:scim:schemas:core:2.0:User",
           "urn:scim:prodpad:2.0:schema"    
    ],    
    "userName": "{$user.email}",    
    "name": {        
    "familyName": "{$user.lastname}",        
    "givenName": "{$user.firstname}"
       },    
    "urn:scim:prodpad:2.0:schema": {        
    "role": "{$parameters.ProdpadRole}"    
    }
    }

    or, if you have multiple accounts, and wish to auto-provision users in accounts specific to them:

    {    
    "schemas": [        
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:scim:prodpad:2.0:schema"
    ],
    "userName": "{$user.email}",
    "name": {
    "familyName": "{$user.lastname}",
    "givenName": "{$user.firstname}"
    },
    "urn:scim:prodpad:2.0:schema": {
    "role": "{$parameters.ProdpadRole}",
    "account_id": "{$parameters.AccountId}"
    }
    }

In ProdPad

  1. Go to the API key tab (https://app.prodpad.com/me/apikeys) and copy the API key and then paste that into the SCIM Bearer Token field in OneLogin
    Screen_Shot_2017-05-19_at_14.13.07.png


  2. Enable the API connection by clicking the enable button.
  3. Click the save link in the top right.
  4. Click on the "Provisioning" tab.
  5. Click on the checkbox "Enable provisioning for SCIM Provisioner with SAML."
  6. Uncheck "Create user", "Delete user" and "Update user" if you don't want or need to always manually approve provisioning. Unchecking means those actions will happen automatically. 
    Screen_Shot_2017-05-19_at_14.13.49.png
  7. If you want users to be deleted from ProdPad when deleted in OneLogin, select "Delete" from the dropdown menu.
  8. Click save in the top right corner.
  9. Open the "Parameters" tab and make sure that NameId (fka email) is set to email :
  10. Make sure that SAML NameID (subject) and SCIM Username are both set to Email.SCIM_Parameters.png
  11. Still on the parameters tab click "Add parameter".
  12. In the modal box enter "ProdpadRole" and select the two checkboxes.
  13. Click save and then click on the parameter "ProdpadRole" in the table.
  14. Select from the dropdown "ProdpadRole".
  15. Click save and the table should now show the mapping between the parameter and the user field.
  16. Click save in the top right corner. 

In ProdPad

  1. Click the Next button on the OneLogin modal.
  2. Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the URL from the field "Issuer URL" in OneLogin.
  3. Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the URL in the field "SAML 2.0 Endpoint" in OneLogin.
  4. Copy into the field "Logout URL" in ProdPad, the URL in the field "SLO Endpoint" in OneLogin.
  5. Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.Image_2020-05-01_at_3.35.48_pm.png
  6. If you have multiple accounts on your ProdPad plan you can select these in the Associate Accounts field - Note: you must be a user in an account before you can associate it to the authentication type.Image_2020-05-01_at_5.17.31_pm.png
  7. Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the OneLogin dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
  8. If you have opted for IdP only, hit Save and you are done! Your users can now use the ProdPad app link on their OneLogin dashboard.
  9. If you have opted for IdP & SP initiated login, from the Domains list select the domains that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.Image_2020-05-01_at_5.33.21_pm.png
  10. Hit save.

To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. If you have configured for You can also go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using OneLogin.

Important!

  • The domain you enter into the form must match the email domain that you are using for your own role in ProdPad. If it doesn't match it will error.
  • Each user will need to have an email that matches the entered domain otherwise they will get a "Mis-matched email" error when trying to log in.
  • The only valid values for the ProdpadRole parameter are "reviewer","editor" and "admin". If nothing is entered or something other than those 3 values are used then the person's role in ProdPad will be defaulted to "reviewer".
  • Once the app is setup it will check users against the users in ProdPad and if the emails match OneLogin will automatically update the user's role in ProdPad with the appropriate information so the user can immediately start using OneLogin to login to ProdPad.

If the user already exists in ProdPad but doesn't have a role in your ProdPad account, then the role won't be updated or a role created in your account. This is done to avoid potential security issues. If a user already has a role with another account in ProdPad, get in touch to resolve the issue. 

Comments