Access & Authentication

Azure Active Directory SSO (Performance and Enterprise)

Using Azure AD allows you to set up a direct link from your Azure AD dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.

Note

Please check your account subscription. The steps in this guide are for Performance and Enterprise accounts,  Advanced plan customers will see slightly different configuration steps, which can be seen here.

Azure AD ProdPad link supports the following capabilities:

  • Login from the Azure AD dashboard into ProdPad.
  • The user can also login to ProdPad via Azure AD if they go to https://app.prodpad.com/ .
  • Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless the role attribute is configured.
  • For Performance and Enterprise accounts, you can set up SCIM so that users are auto-provisioned. See here for steps to set this up.

Important!

If you currently have another authentication method enabled such as Google or Slack, please disable them prior to installing SAML. For further helps, please refer to our Implementation Check.

In ProdPad

  1. To start go to Account Settings and select the Security tab.
  2. Now select the SSO/SAML sub-tab.
  3. Click the "Add authentication type" button and select Azure AD from the dropdown.Screen_Recording_2020-05-05_at_05.23_pm.gif
  4. Keep the modal open (you will need these URLs) and go to Azure AD.

In Azure AD

  1. Click on "Enterprise Apps" in the Azure AD menu.
  2. Click on "Add application"
  3. Click on "Non-Gallery Application"
  4. Enter "ProdPad" as the application name.
  5. Click on "Single Sign-on" and select "SAML based Sign-on."
  6. In the "Identifier (Entity ID)" field input the URL https://api.prodpad.com/api/v2/sso/saml/metadata
  7. In the "Reply URL (Assertion Consumer Service URL)" field input the URL https://api.prodpad.com/api/v2/sso/saml/acs
  8. In the "User Attributes" section select "user.mail" for "User Identifier" select box.
  9. Click on "Advanced attributes" link and then click "Add Attribute". Enter the attribute "User.LastName" and give it a value of "user.surname" and click "ok." Ensure the "Namespace" field is blank.
  10. Click "Add Attribute". Enter the attribute "User.FirstName" and give it a value of "user.givenname" and click "ok." Ensure the "Namespace" field is blank.
  11. If you wish to utilise Just In Time Provisioning, click on "Add Attribute" and create an attribute with the name "User.ProdpadRole" with value "user.assignedroles". See the last section of this guide for more details around setting this up.


    888.png
  12. For multiple account users, additional configuration is required, we have a separate guide for this
  13. Click "ok" to continue.
  14. Click on "Configure ProdPad" link. This provides you with the URLs which you will need later
  15. In the "SAML Signing Certificate" section, Azure should have created a certificate for you to download. Base64 will allow you to download and open as a text file to obtain the X.509 certificate you will need later.

In ProdPad

  1. Click the Next button on the Azure AD modal.
  2. Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the URL from the field "Azure AD Identifier" in Azure AD.
  3. Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the URL in the field "Login URL" in Azure AD.
  4. Copy into the field "Logout URL" in ProdPad, the URL in the field "Logout URL" in Azure AD.
  5. Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.
  6. Image_2020-05-04_at_6.02.46_pm.png
  7. If you have multiple accounts on your ProdPad plan you can select these in the Associate Accounts field - Note: you must be a user in an account before you can associate it to the authentication type.Image_2020-05-01_at_5.17.31_pm.png
  8. Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the Azure dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
  9. If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their Azure dashboard.
  10. If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.Image_2020-05-01_at_5.33.21_pm.png
  11. Hit save.

To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. If you have configured for You can also go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using Azure AD.

Azure AD with Provisioning 

Once you have created your app in Azure AD you can opt to configure SCIM to auto-provision your user access and authentication in ProdPad

  1. On the side menu for the ProdPad enterprise app, select Provisioning
  2. Set "Provisioning Mode" to Automatic
  3. Under "Admin Credentials, in the field "Tenant URL" enter the URL https://api.prodpad.com/api/v2/scim
  4. In ProdPad, go to the API key tab (https://app.prodpad.com/me/apikeys) and copy the API key and then paste that into the Authentication Token field in Azure.
  5. Click "Test connection" and once the test pass (it will say connectivity confirmed).

    withprov5.png


  6. Now click "Save"
  7. Under "Settings" set "Provisioning Status" to On

    7.png


  8. Click "Save".

Role provisioning in Azure AD

Azure AD needs some changes to the default settings in order to get role provisioning working with ProdPad.

For SAML token attributes:

  • The User Identifier Attribute needs to be set to the users email address (i.e user.mail).
  • Add an attribute User.LastName which is the user's family name. 
  • Add an attribute User.FirstName which is the user's first name.

You can read about how to do this here - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

In the application manifest:



8.png

  • How you achieve this is up to you, whether by group or direct assignment. Once done this will allow the SAML Token attribute value user.assignedroles to resolve to the value of the users roles set for the ProdPad enterprise application in Azure AD (i.e. "reviewer","editor" or "admin.") If the value is missing or not one of the three specified, ProdPad will default to setting the user as "reviewer."

 

Comments