Configuring your SSO Connection

Configuring SSO with Okta

As part of your Professional or Enterprise subscription to ProductPlan, you can make signing in to ProductPlan easier by integrating with your organization’s Single Sign-On (SSO) solution. Using SSO for your team in ProductPlan requires a Professional or Enterprise Subscription.

By configuring SSO for your team in ProductPlan, your users will be able to sign in to ProductPlan by authenticating through your SSO application portal or on the ProductPlan login screen without requiring a password. You will also have the option to require authentication by SSO only, as well as to restrict Private Roadmap URLs to SSO users only.

You can configure and upload your team's SSO connection directly within ProductPlan on the Security page. We support most SAML 2.0 identity providers including Okta, Azure Active Directory, Ping, Google Apps, OneLogin, Centrify and more. 

From the Security page you'll have access to the SP Entity ID as well as the SSO service endpoint (provided by ProductPlan). Once you've completed the configuration in your portal, simply upload the IDP Metadata directly into Step 3 on your Security page. If you find SSO isn't working, always verify the Metadata has been copied over.

If you've completed the optional step 5 you will see step 6 appear which allows you to download ProductPlan's metadata should you need to do so.

You can also choose to require Single Sign-On in order for your team to access ProductPlan. If you choose this option, it will eliminate the ability to login to ProductPlan with a password. Before enabling this option, you should make sure that you’ve provisioned the users on your team for the ProductPlan application within your SSO identity provider.

Step 7 gives account admins the ability to provision new users as editors. When configuring the SSO settings, account admins will be able to select the option that will automatically provision all new users with an editor license. Account admins will no longer have to worry about tracking new users provisioned as viewers and having to manually update the license type.

There will be three ways a user can obtain an automatic license to ProductPlan via SSO. The first is if a new user accesses the ProductPlan application from their internal SSO application. The second occurs when a new user clicks on a roadmap or private link shared with them. The final way the automatic licensure happens is if the account has the SSO domain redirect enabled, and the new user tries to log in.

Once enabled, your users will need to authenticate with your SSO provider in order to access ProductPlan. Attempting to login directly to ProductPlan will redirect any user to the configured SSO login. Turning off this option will allow users to login with passwords again.

There are three different attributes which you can map to ProductPlan from your identity provider: email, name and groups. Here is a list of attributes we will check for, including the default values:

If no email attribute is found, we will default to the subject’s name identifier (NameID)

If no name attribute is found, we will default to the first part of the user's email.

When configuring your connection within the Self-Hosted portal, you can also include group attributes in your metadata, which would allow users to get mapped to existing Teams within ProductPlan. To do this, you will need to map your SSO groups to a SAML attribute. We will check the following SAML group attributes; member-of, groups and teams.

Note: In order to auto-provision users to groups based on your SSO provider, a Team must already exist in ProductPlan. 

Follow the steps below to set up SSO with Okta.

From the Okta admin console, select "Applications" on the left, and then "Add Application".

Select "Create New App". Leave "Platform" as "Web" but toggle the "Sign on method" to "SAML 2.0"

For "App name", enter "ProductPlan". You can optionally add our ProductPlan logo.

Click "Next".

Paste the Single Sign On URL from Step 2 on our Security tab (the SSO service Endpoint). Paste the Audience URI from Step 1 on our Security tab. Toggle "Application username" to "Email".

In the Attribute Statements section, add two attribute statements, one for first_name and one for last_name, as seen in the screenshot below.

You can optionally download the Okta certificate from the right panel. Click "Next" and then "Finish". Click "Identity Provider metadata" and copy the information that opens in a new browser into the Step 3 of our Security tab.

Click "Save" in ProductPlan.

You can now optionally toggle Step 4 on our Security tab, which would require all users to login via Okta only. Without toggling Step 4, users can login either via Okta, or with their ProductPlan password.