As part of your Enterprise subscription to ProductPlan, you can make signing in to ProductPlan easier by integrating with your organization’s Single Sign-On (SSO) solution. Using SSO for your team in ProductPlan requires an Enterprise Subscription.
By configuring SSO for your team in ProductPlan, your users will be able to sign in to ProductPlan by authenticating through your SSO application portal or on the ProductPlan login screen without requiring a password. You will also have the option to require authentication by SSO only, as well as to restrict Private Roadmap URL’s to SSO users only.
Configuring your SSO Connection within the Self-Hosted Portal
You can now configure and upload your team's SSO connection directly within the application on the Security page. This is a feature your Customer Success Manager will need to turn on for your account. We support most SAML 2.0 identity providers including Active Directory (Azure), Ping, Google Apps, Okta, OneLogin, Centrify and more.
From the Security page you'll have access to the SP Entity ID as well as the SSO service endpoint (provided by ProductPlan). Once you've completed the configuration in your portal, simply upload the IDP Metadata directly into Step 3 of your Security page.
You can also choose to require Single Sign-On in order for your team to access ProductPlan. If you choose this option, it will eliminate the ability to login to ProductPlan with a unique password. Before enabling this option, you should make sure that you’ve provisioned the users on your team for the ProductPlan application within your SSO identity provider.
Once enabled, your users will need to authenticate with your SSO application in order to access ProductPlan. Attempting to login directly to ProductPlan will redirect any user to the configured SSO login. Turning off this option will allow users to login with passwords again.
There are three different attributes which you can map to ProductPlan from your identity provider; email, name and groups. Here is a list of attributes we will check for, including the default values:
If no email attribute is found, we will default to the subject’s name identifier (NameID)
If no name attribute is found, we will default to the first part of the user's email.
- first_name last_name
- givenName sn
Team Provisioning for Single Sign-On
When configuring your connection within the Self-Hosted portal, you can also include group attributes in your metadata, which would allow existing and new users to get mapped to existing Teams within ProductPlan. To do this, you will need to map your SSO groups to a SAML attribute. We will check the following SAML group attributes; member-of, groups and teams.
Note: In order to auto-provision users to groups based on your SSO provider, a Team must already exist in ProductPlan.