Access & Authentication

Active Directory Federated Services (Performance and Enterprise)

Customer's on Performance and Enterprise accounts can set up ADFS SSO with ProdPad. This will allow your AD users to log in to ProdPad without having to enter a password in ProdPad. 

Important!

If you currently have another authentication method enabled such as Google or Slack, please disable them prior to enabling ADFS SSO. For further help, please refer to our Implementation Checklist.

In ProdPad

  1. To start go to Account Settings and select the Security tab.
  2. Now select the SSO/SAML sub-tab.
  3. Click the "Add authentication type" button and select ADFS from the dropdown.Screen_Recording_2020-05-05_at_05.29_pm.gif
  4. Keep the modal open (you may need these URLs) and go to Server Manager

In ADFS

Create a Claims aware relying party trust

  1. In Server Manager, click Tools, and then select AD FS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. On the Welcome page, choose Claims aware and click Start.
  4. On the Select Data Source page, click Enter data about the relying party manually, and then click Next.
  5. On the Specify Display Name page, enter a name in Display name i.e.  ProdPad, and then click Next.
  6. On the Configure Certificate page, find and add your certificate, click Next.
  7. On the Configure URL page, Select the Enable support for the SAML 2.0 WebSSO protocol check box. Under Relying party SAML 2.0 SSO service URL, enter https://api.prodpad.com/api/v2/sso/saml/acs then click Next.
  8. On the Configure Identifiers page, add https://api.prodpad.com/api/v2/sso/saml/metadata to the list, and then click Next.
  9. On the Ready to Add Trust page, review the settings, and then click Next.
  10. On the Finish page, click Close.

Alternatively, create a claims aware Relying Party Trust using federation metadata

  1. In Server Manager, click Tools, and then select AD FS Management.
  2. Under Actions, click Add Relying Party Trust.
  3. On the Welcome page, choose Claims aware and click Start.
  4. On the Select Data Source page, click ‘Import data about the relying party published online or on a local network’. In ‘Federation metadata address (host name or URL)’, https://api.prodpad.com/api/v2/sso/saml/metadata  and then click Next.
  5. On the Specify Display Name page, enter a name in Display name, i.e. ProdPad and then click Next.
  6. On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party or Deny all users access to this relying party, and then click Next.
  7. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.
  8. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box.

Create claim rules

Once the relying party trust has been created, the claim rule editor opens by default

  1. To create a new rule, click ‘Add Rule’. Create a ‘Send LDAP Attributes as Claims’ rule.
  2. On the next page, using ‘Active Directory’ as your attribute store, do the following:
    1. Select ‘E-Mail Addresses’ in the LDAP Attribute column.
    2. Select ‘E-Mail Address’ in the ‘Outgoing Claim Type’
  3. Click ‘OK’
  4. Click ‘Add Rule’ and select ‘Transform an Incoming Claim’ for the claim rule template
  5. On the next page:
    1. For the ‘Incoming Claim Type’ select ‘E-mail Address’.
    2. For ‘Outgoing Claim Type’, select ‘Name ID’.
    3. For ‘Outgoing Name ID Format’, select ‘Email’.
    4. Leave ‘Pass through all claim values’ set as the default.
  6. Click ‘OK’ to create the claim rule, and ‘OK’ again to finish.

In ProdPad

  1. Click the Next button on the ADFS modal.
  2. Copy into the field labelled "IdP Entity ID/URL" in ProdPad, your SAML Entity ID/URL.
  3. Copy into the field "IdP SAML Single Sign-On URL" in ProdPad,your SAML Single Sign-On Service URL.
  4. Copy into the field "Logout URL" in ProdPad, your Sign Out URL
  5. Paste the text of X.509 certificate into the X.509 certificate field.Image_2020-05-04_at_8.06.45_pm.png
  6. If you have multiple accounts on your ProdPad plan you can select these in the Associate Accounts field - Note: you must be a user in an account before you can associate it to the authentication type. Image_2020-05-01_at_5.17.31_pm.png
  7. Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the Azure dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
  8. If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their app dashboard.
  9. If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.Image_2020-05-01_at_5.33.21_pm.png
  10. Hit save.

To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. If you have configured for You can also go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using ADFS.

Provisioning

ADFS needs some changes to the claim rules to enable role provisioning with ProdPad.

ProdPad requires an attribute in the SAML assertion of User.ProdpadRole with the value of either 'admin', 'editor' and 'reviewer'.

How you achieve this is up to you, whether by group or direct assignment. If no value is supplied the users role will default to reviewer.

You can read about how to send claims using custom rules here - 

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-claims-using-a-custom-rule 

Comments