As part of your Enterprise subscription to ProductPlan, you can make signing in to ProductPlan easier by integrating with your organization’s Single Sign-On (SSO) solution. Using SSO for your team in ProductPlan requires an Enterprise Subscription.
By configuring SSO for your team in ProductPlan, your users will be able to sign in to ProductPlan by authenticating through your SSO application portal or on the ProductPlan login screen without requiring a password. You will also have the option to require authentication by SSO only, as well as to restrict Private Roadmap URLs to SSO users only.
Configuring your SSO Connection
You can configure and upload your team's SSO connection directly within ProductPlan on the Security page. This is a feature your Customer Success Manager will need to turn on for your account. We support most SAML 2.0 identity providers including Okta, Azure Active Directory, Ping, Google Apps, OneLogin, Centrify and more.
From the Security page you'll have access to the SP Entity ID as well as the SSO service endpoint (provided by ProductPlan). Once you've completed the configuration in your portal, simply upload the IDP Metadata directly into Step 3 on your Security page.
If you've completed the optional step 5 you will see step 6 appear which allows you to download ProductPlan's metadata should you need to do so.
You can also choose to require Single Sign-On in order for your team to access ProductPlan. If you choose this option, it will eliminate the ability to login to ProductPlan with a password. Before enabling this option, you should make sure that you’ve provisioned the users on your team for the ProductPlan application within your SSO identity provider.
Once enabled, your users will need to authenticate with your SSO provider in order to access ProductPlan. Attempting to login directly to ProductPlan will redirect any user to the configured SSO login. Turning off this option will allow users to login with passwords again.
There are three different attributes which you can map to ProductPlan from your identity provider: email, name and groups. Here is a list of attributes we will check for, including the default values:
If no email attribute is found, we will default to the subject’s name identifier (NameID)
If no name attribute is found, we will default to the first part of the user's email.
Team Provisioning for Single Sign-On
When configuring your connection within the Self-Hosted portal, you can also include group attributes in your metadata, which would allow existing and new users to get mapped to existing Teams within ProductPlan. To do this, you will need to map your SSO groups to a SAML attribute. We will check the following SAML group attributes; member-of, groups and teams.
Note: In order to auto-provision users to groups based on your SSO provider, a Team must already exist in ProductPlan.
Configuring SSO with Okta
Follow the steps below to set up SSO with Okta.
From the Okta admin console, select "Applications" on the left, and then "Add Application".
Select "Create New App". Leave "Platform" as "Web" but toggle the "Sign on method" to "SAML 2.0"
For "App name", enter "ProductPlan". You can optionally add our ProductPlan logo.
Paste the Single Sign On URL from Step 2 on our Security tab (the SSO service Endpoint). Paste the Audience URI from Step 1 on our Security tab. Toggle "Application username" to "Email".
In the Attribute Statements section, add two attribute statements, one for first_name and one for last_name, as seen in the screenshot below.
You can optionally download the Okta certificate from the right panel. Click "Next" and then "Finish". Click "Identity Provider metadata" and copy the information that opens in a new browser into the Step 3 of our Security tab.
Click "Save" in ProductPlan.
You can now optionally toggle Step 4 on our Security tab, which would require all users to login via Okta only. Without toggling Step 4, users can login either via Okta, or with their ProductPlan password.