Single sign-on allows you as a productboard admin to determine who has access to productboard by way of your existing identity provider/SSO solution: Active Directory, OneLogin, Okta and more.

Users will be able to seamlessly access productboard as long as they’re logged in to your organization’s identity provider system.

From your identity provider solution (IdP), you’ll be able to do any of the following:

  • Manage who is able to access productboard
  • Provision user roles
  • Update user details (first/last name)

Once single sign-on is enabled, you'll still be able to manage all productboard user roles in productboard.

Setting up SAML SSO

SAML SSO is available to all customers on productboard’s Scaling plan

  • If you're not on the Scaling plan but would be interested in enabling SAML SSO, please reach out to a member of our team to trial this functionality.

productboard admins: follow the steps below to configure SAML SSO for your organization:

1. Create a new application in your IdP

In your IdP, create a new application and input the following details:

  • Audience: productboard
  • Recipient URL: https://{projectname}.productboard.com/users/auth/saml/callback
  • ACS (Consumer) URL Validator: ^https:\/\/.+\.productboard\.com\/users\/auth\/saml\/callback$
  • ACS (Consumer) URL: https://{projectname}.productboard.com/users/auth/saml/callback
  • Single Logout URL: (optional): https://{projectname}.productboard.com/users/auth/saml/slo
  • User Identifier (Name ID Format): EmailAddress

2. Configure your user in your IdP

Now add yourself to the new application and grant yourself admin access to productboard. Configure your IdP to send the following attributes:

  • Email (user identifier/NameID)
  • First Name/Last Name

Examples of the attribute names we support.
 
 First Name:
   givenname
    FirstName
    first_name
    firstname
    firstName
    User.FirstName
 
Last Name:
    surname
    LastName
    last_name
    lastname
    lastName
    User.LastName

Note: In the event you need to update a user’s email address or your organization’s email domain, please contact productboard support.

4. Configure productboard

In productboard project settings choose the SAML configuration type your identity provider supports.

Automatic configuration via Metadata file or fill in these details provided by your IdP manually:

  • Name – IdP name to be shown on the login page (e.g. OneLogin)
  • SSO Endpoint
  • Certificate
  • Certificate Fingerprint
  • SLO Endpoint (optional if you want to enable SLO support)

Note: In many cases you can use either Certificate or Certificate Fingerprint, but will not need both. 

5. Finalize SSO settings in productboard

Next you’ll be prompted to log in to productboard via SSO to ensure everything is working properly. If anything seems amiss, you’ll be able to access productboard using your email and password to review the configuration.

productboard users will be able to access productboard uninterrupted during the SSO configuration process. Once the configuration is finalized, all users will automatically be logged out and prompted to log in via SSO.

Define users roles in your IdP (optional)

The default user role for new users authorized to access productboard via SAML SSO is contributor.

Use the pb_role custom field to specify which level of access a new user should have. This is only used when a user is initially provisioned. Once they signed in for the first time, you will be able to change their role in productboard's Team Management page.

Supported values for pb_role include: admin, editor, contributor, viewer.

Note: The roles of existing users will persist after SAML SSO is authorized.

Configuring access to multiple productboard projects

To set up SAML SSO for multiple projects, only one application will be required in your IdP, but each project will need to be authorized separately. Note that the same metadata may be used to set up multiple SAML integrations.

By default, users with access to productboard via SAML SSO have access to all productboard projects, but you can limit access to specific projects using the custom field pb_project followed by a comma-separated list of the only projects they should be able to access. (e.g. pb_project = pb,pb-design)

To give a user different roles in two different projects, specify this in the pb_role field for that user, listing a user’s projects as well as what role they should be assigned. (e.g. pb_role = {name_of_project_1}:editor,{name_of_project_2}:contributor)

Disabling SSO

Disable the SAML SSO integration at any time from productboard settings. 

The next time users log in, those who have never set a productboard password will be required to reset their password to receive log in instructions via their email.

Did this answer your question?