Set up Single Sign-on (SSO)
Turn on Single Sign-on (SSO) in the Productsup platform so your users can log on to multiple related applications with one set of login credentials.
Introduction
As an admin user, Productsup lets you turn on Single Sign-on (SSO), so your users can log in to multiple related applications using one set of login credentials. You can set up and manage SSO permissions directly from your system and make SSO available to your users in the Productsup platform.
Tip
Learn more about the SSO benefits and use cases on our Academy website by taking the video course User authentication and management.
There are two stages of login options for users before you complete the SSO setup at the third stage:
Regular login screen requires users to log in using their Productsup credentials.
Enabled SSO, as established by an admin. Users can log in with either Productsup or SSO credentials.
Enforced SSO setup complete, as set by an admin. Most users can only log in using SSO credentials.
Figure 1. Regular login
Figure 2. Enabled SSO, email, and SSO login
Figure 3. Enforced SSO setup
Requirements
You have an account with an Identity Provider (IdP), for example, Google, Azure, AWS, etc.
You have admin access to your IdP account interface to set up SSO for users in your organization.
IdP metadata file
To use the SSO feature in the Productsup platform, you must upload your IdP metadata file to the platform. Next, you need to share the IdP metadata configuration information with the service provider. Productsup acts as the service provider. The Productsup platform then creates metadata information for you to share with your IdP.
The IdP metadata XML file you receive from your IdP should contain the following:
IdP Entity ID
certificate
SSO URL
redirect URL
The service provider metadata XML file contains the service provider:
entity ID
redirect URL
logout URL
SSO Assertion Consumer Service URL
Perform the next steps in the following sections to set up and turn on SSO for your organization.
Configure SSO
To configure SSO, start by choosing and adding your IdP metadata.
Go to Settings from your account’s main menu.
First, choose an IdP by selecting Google, Azure, or Other.
Next, enter your account's subdomain name, for example,
yourcompany.productsup.com, and select Continue.
Copy the SSO Assertion Consumer URL and Entity ID URLs and paste them into your IdP's admin console. Once you copy a URL, a pop-up confirmation message appears. Select Continue.
Finally, click and drag your IdP's metadata XML file, which you can find in your IdP's admin console, by clicking and dragging it in the file upload section. To manually upload the file instead, select Browse to locate it and select Finish.
In the following example for Azure, here's where you would access your IdP's metadata XML in the admin console:
Figure 4. Access Azure's IdP metadata XMLNote
Your IdP's XML file for upload must contain the Productsup Entity ID and SSO Assertion Consumer URL to continue.
You have now configured SSO. Continue with Enable SSO for testing.
Enable SSO
You can enable SSO to ease your organization's transition to logging in via SSO without enforcing it. During this phase, you can test the SSO configuration to ensure everything works as planned. Your users can log in with their Productsup credentials or an SSO Identity Provider (IdP) password. They can no longer log in to Productsup via the Continue with Google feature. Users that don’t have a Productsup password can create one by selecting Forgot Password on the Productsup login page.
Once you have confirmed that all users can log in via SSO, you can require that all users log in with SSO once you finalize your SSO configuration.
Select Enable to turn on SSO and begin testing it for users in your organization.
After selecting Enable, a pop-up window appears with the following message:
By enabling SSO, you can start testing for your organization. Testing SSO allows users in your organization to confirm if they can log in via Single Sign-on without issue. Once you enable testing, if a user attempts to log in to your Productsup instance via SSO using an email address not associated with a Productsup user, we will use Just-In-Time (JIT) provisioning. This automates user account creation with basic permissions.
JIT is an authentication method that automates user account creation. It uses information passed from the IdP to the service provider to create a user account.
Note
Once you begin testing, users can no longer log in via Google sign-in. They can only log in using their IdP or Productsup password.
Enforce SSO
After the Enable SSO phase, you can now choose to enforce SSO. Enforcing SSO forces most users to log in via SSO, not by email. If you invite a user to an additional Productsup account, they may log in via an email and password. Make sure the user accounts are compatible with your SSO Identity Provider. For example, the user's registered platform email must match the SSO IdP, such as an Outlook email address to an Outlook IdP.
Once you enforce SSO, you can't edit the SSO configuration beyond this point, as this action is permanent.
Select Enforce to turn on SSO. Enter the same account's subdomain name that you entered in step 3 to confirm turning on SSO. Again, select Enforce.
You have now successfully turned on SSO for your organization.
Log in using SSO
Once an admin enforces SSO on your account, you can log in only using SSO. Contact your admin for access to projects or sites.