Set up Single Sign-on (SSO)

Turn on Single Sign-on (SSO) in the Productsup platform so your users can log on to multiple related applications with one set of login credentials.

Introduction

As an admin user, Productsup lets you turn on Single Sign-on (SSO), so your users can log in to multiple related applications using one set of login credentials. You can set up and manage SSO permissions directly from your system and make SSO available to your users in the Productsup platform.

There are two stages of login options for users before you complete the SSO setup at the third stage:

  1. Regular login screen requires users to log in using their Productsup credentials.

  2. Enabled SSO, as established by an admin. Users can log in with either Productsup or SSO credentials.

  3. Enforced SSO setup complete, as set by an admin. Most users can only log in using SSO credentials.

    Figure 1. Regular login
    Regular login


    Figure 2. Enabled SSO, email, and SSO login
    Enabled SSO, email, and SSO login


    Figure 3. Enforced SSO setup
    Enforced SSO setup


Requirements

  1. You have an account with an Identity Provider (IdP), for example, Google, Azure, AWS, etc.

  2. You have admin access to your IdP account interface to set up SSO for users in your organization.

IdP metadata file

To use the SSO feature in the Productsup platform, you must upload your IdP metadata file to the platform. Next, you need to share the IdP metadata configuration information with the service provider. Productsup acts as the service provider. The Productsup platform then creates metadata information for you to share with your IdP.

The IdP metadata XML file you receive from your IdP should contain the following: 

  • IdP Entity ID

  • certificate

  • SSO URL

  • redirect URL

The service provider metadata XML file contains the service provider:

  • entity ID

  • redirect URL

  • logout URL

  • SSO Assertion Consumer Service URL

Perform the next steps in the following sections to set up and turn on SSO for your organization.

Configure SSO

To configure SSO, start by choosing and adding your IdP metadata.

  1. Go to Settings from your account’s main menu.

    Configure SSO in Productsup
  2. First, choose an IdP by selecting Google, Azure, or Other.

  3. Next, enter your account's subdomain name, for example, yourcompany.productsup.com and select Continue.

    Choose an IdP for SSO in Productsup
  4. Copy the SSO Assertion Consumer URL and Entity ID URLs and paste them into your IdP's admin console. Once you copy a URL, a pop-up confirmation message appears. Select Continue.

    Copy SSO Assertion Consumer URL to pass to IdP in Productsup
  5. Finally, click and drag your IdP's metadata XML file, which you can find in your IdP's admin console, by clicking and dragging it in the file upload section. To manually upload the file instead, select Browse to locate it and select Finish.

    In the following example for Azure, here's where you would access your IdP's metadata XML in the admin console:

    Figure 4. Access Azure's IdP metadata XML


    Note

    Your IdP's XML file for upload must contain the Productsup Entity ID and SSO Assertion Consumer URL to continue.

    Upload metadata XML file for SSO in Productsup
  6. You have now configured SSO. Continue with Enable SSO for testing.

    SSO configured in Productsup

Enable SSO

You can enable SSO to ease your organization's transition to logging in via SSO without enforcing it. During this phase, you can test the SSO configuration to ensure everything works as planned. Your users can log in with their Productsup credentials or an SSO Identity Provider (IdP) password. They can no longer log in to Productsup via the Continue with Google feature. Users that don’t have a Productsup password can create one by selecting Forgot Password on the Productsup login page.

Once you have confirmed that all users can log in via SSO, you can require that all users log in with SSO once you finalize your SSO configuration.

  1. Select Enable to turn on SSO and begin testing it for users in your organization.

  2. After selecting Enable, a pop-up window appears with the following message:

    By enabling SSO, you can start testing for your organization. Testing SSO allows users in your organization to confirm if they can log in via Single Sign-on without issue. Once you enable testing, if a user attempts to log in to your Productsup instance via SSO using an email address not associated with a Productsup user, we will use Just-In-Time (JIT) provisioning. This automates user account creation with basic permissions.

    Enable SSO confirmation message in Productsup

    JIT is an authentication method that automates user account creation. It uses information passed from the IdP to the service provider to create a user account.

    Note

    Once you begin testing, users can no longer log in via Google sign-in. They can only log in using their IdP or Productsup password.

    SSO enabled confirmation in Productsup

Enforce SSO

After the Enable SSO phase, you can now choose to enforce SSO. Enforcing SSO forces most users to log in via SSO, not by email. If you invite a user to an additional Productsup account, they may log in via an email and password. Make sure the user accounts are compatible with your SSO Identity Provider. For example, the user's registered platform email must match the SSO IdP, such as an Outlook email address to an Outlook IdP.

Once you enforce SSO, you can't edit the SSO configuration beyond this point, as this action is permanent.

  1. Select Enforce to turn on SSO. Enter the same account's subdomain name that you entered in step 3 to confirm turning on SSO. Again, select Enforce.

    Enforced SSO confirmation message in Productsup
  2. You have now successfully turned on SSO for your organization.

    Final enforced SSO confirmation message in Productsup

Log in using SSO

Once an admin enforces SSO on your account, you can log in only using SSO. Contact your admin for access to projects or sites.

Productsup platform SSO login, as set by an admin