Access & Authentication

SAML SSO and multiple ProdPad accounts

Performance and Enterprise customers with 2 or more accounts can associate their separate accounts with a single SAML SSO authentication type.

For users with access to some or all of these accounts, login access can also be dictated in the SAML assertion to determine the user's primary account that they will be created in at first login and when they login each time afterwards.

Users can also be invited to other accounts associated with the SAML SSO authentication type by account admins.

Linking accounts to a SAML Authentication Type

You can link accounts when creating a new SAML authentication type or by editing an existing authentication type and select the accounts from the options in the "Associate Accounts" field.

Image_2020-05-06_at_4.03.55_pm.png

Once saved, you will see the linked accounts indicated under Associated Accounts the SAML authentication type information.

Image_2020-05-06_at_4.30.03_pm.png

For linked accounts, under Account Settings > Security > SSO/SAML they will see an indication that this account had been linked to a SAML authentication type and the account name and account ID that the authentication type was set up on.

Image_2020-05-06_at_4.40.22_pm.png

Determining a users account via a SAML assertion

When managing your SAML users in multiple accounts it is important to configure the users primary account ID - this will dictate the account they are created in when first logging into ProdPad and the account they are directed to when making subsequent logins.

To determine the account the user is created in you must:

  • configure a SAML claim/parameter attribute named User.AccountId pass across the account ID in the SAML assertion.
  • this attribute should be populated with the value of a numerical account ID.

The account ID for an account can be see under the Account Settings heading next to the account's company name.

The account ID of any associated accounts can be seen when hovering over the account name under Associated Accounts in the authentication type.

Screenshot_2020-05-06_at_17.26.24.png

Important!

If an account ID is not provided in the SAML assertion when a user logs in for the first time  they will be created in the account that the authentication type is configured on.

 

Inviting users to associated accounts

Once a user has been added to their primary account via SAML authentication, they can now be invited to associated accounts by account admins using the Invite Users function found under Account Settings > Users & Permissions.

Image_2020-05-06_at_5.46.26_pm.png

When invited the user is automatically created in that account and receives an email to notify them that they have been added. The user can now login to ProdPad and navigate to the associated account using the account switching menu, found by clicking the avatar in the top left corner.

Screen_Recording_2020-05-06_at_05.58_pm.gif

Adding users to associated accounts via a SCIM integration

Customers on Performance plans and above who have set up a SCIM integration can automatically provision their users to multiple accounts by updating the SCIM schema or attribute (claim) mapping in their IdP.

To configure your IdP to send account IDs with the SCIM payload, you will need to add a custom claim/attribute named accounts in your IdP user attributes.

If your IdP supports SCIM via attribute mapping you will need to update your current mapping to send this value as part of the SCIM provisioning sync.

If your IdP supports SCIM configuration via JSON templates, update the current SCIM JSON template to the match template below:

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:scim:prodpad:2.0:schema"
],
"userName": "{$user.email}",
"name": {
"familyName": "{$user.lastname}",
"givenName": "{$user.firstname}"
},
"urn:scim:prodpad:2.0:schema": {
"accounts": "{$parameters.accounts}"
}
}

The accounts value can be populated by a single account ID or by multiple comma delimited IDs (i.e. 1,2,3).

Warning - If SCIM is enabled but an accounts attribute is not supplied the user provisioning will default to creating users in the primary account associated with the authentication connector.

 

Comments