SAML SSO and multiple ProdPad accounts
Performance and Enterprise customers with 2 or more accounts can associate their separate accounts with a single SAML SSO authentication type.
For users with access to some or all of these accounts, login access can also be dictated in the SAML assertion to determine the user's primary account that they will be created in at first login and when they login each time afterwards.
Users can also be invited to other accounts associated with the SAML SSO authentication type by account admins.
Linking accounts to a SAML Authentication Type
You can link accounts when creating a new SAML authentication type or by editing an existing authentication type and select the accounts from the options in the "Associate Accounts" field.
Once saved, you will see the linked accounts indicated under Associated Accounts the SAML authentication type information.
For linked accounts, under Account Settings > Security > SSO/SAML they will see an indication that this account had been linked to a SAML authentication type and the account name and account ID that the authentication type was set up on.
Determining a users account via a SAML assertion
When managing your SAML users in multiple accounts it is important to configure the users primary account ID - this will dictate the account they are created in when first logging into ProdPad and the account they are directed to when making subsequent logins.
To determine the account the user is created in you must:
- configure a SAML claim/parameter attribute named
User.AccountIdpass across the account ID in the SAML assertion.
- this attribute should be populated with the value of a numerical account ID.
The account ID for an account can be see under the Account Settings heading next to the account's company name.
The account ID of any associated accounts can be seen when hovering over the account name under Associated Accounts in the authentication type.
If an account ID is not provided in the SAML assertion when a user logs in for the first time they will be created in the account that the authentication type is configured on.
Adding users to associated accounts
Once a user has been added to their primary account via SAML authentication, they can now be invited to associated accounts by account admins using the Invite Users function found under Account Settings > Users & Permissions.
When invited the user is automatically created in that account and receives an email to notify them that they have been added. The user can now login to ProdPad and navigate to the associated account using the account switching menu, found by clicking the avatar in the top left corner.
Was this article helpful?
0 out of 0 found this helpful