Skip to main content

Set up Single Sign-on (SSO)

Turn on Single Sign-on (SSO) in the Productsup platform to let your users log in to multiple related applications with the same login credentials.

Introduction

As an admin user, you can configure Single Sign-on (SSO) in Settings in Productsup to let the users within your organization log in to all related applications with one set of login credentials.

Tip

Learn more about the SSO benefits and use cases on our Academy website by taking the video course User authentication and management.

There are three variants of login for users in Productsup:

  1. Regular login lets users log in with their Productsup credentials. This option is available to all users before you configure SSO.

    Regular login screen

  2. Enabled SSO lets users log in with either Productsup or SSO credentials. This option is available when you have already enabled SSO but haven't finalized the configuration yet. You can stop the SSO configuration process on this step if you want to enable SSO in parallel with regular login. This step also lets you test your SSO before proceeding to enforced SSO.

  3. Enforced SSO lets users only log in using SSO credentials. This option is available as soon as you finalized the SSO configuration process and enforced Single Sign-on.

    Warning

    Once you set up enforced SSO, you can't remove it and roll back to the previous step. Contact support@productsup.com if you need to remove the enforced SSO settings.

    To log in with enforced SSO, users have two options:

    1. Go to subdomain.productsup.com created for your organization after enabling SSO. The link redirects you to the Productsup login page with the SSO login button. Select the button to land on the Identity Provider (IdP) login page where you must provide your IdP credentials, such as Google account login and password.

    2. Go to platform.productsup.com and enter the email associated with the Productsup account. If their account has enforced SSO, the platform redirects you to the Productsup login page with the SSO login button as described in Option a.

    Enforced SSO login

Prerequisites

To set up SSO, you need:

  1. An account with an Identity Provider (IdP), such as Google, Azure, AWS, etc.

  2. The admin access rights to your IdP account interface to set up SSO for users in your organization.

  3. The Identity Provider (IdP) metadata file. See Prepare the IdP metadata file.

  4. The admin access rights in Productsup.

Prepare the IdP metadata file

Identity Provider (IdP) is a service that stores and verifies user identity.

To use the SSO feature in Productsup, you must upload your IdP metadata file to the platform. The Productsup platform then creates metadata information for you to share with your IdP. When the configuration is ready, Productsup, as an SSO provider, checks user identity with the IdP when users log in.

For example, to learn how to get the IdP file from Azure, see Configure Azure AD SSO.

The IdP metadata XML file that you receive from your IdP should contain the following: 

  • IdP or Entity ID

  • Certificate

  • SSO URL

  • Redirect URL.

The service provider metadata XML file contains:

  • Entity ID

  • Redirect URL

  • Logout URL

  • SSO Assertion Consumer Service URL.

Set up SSO

To set up SSO in Productsup for your organization:

  1. Go to Settings from your organization's main menu.

  2. Go to the Single Sign-on tab and take the following steps:

    1. Configure Single Sign-on (SSO).

    2. Enable Single Sign-on (SSO).

    3. Test the SSO setup.

    4. Enforce SSO (optional).

Configure Single Sign-on (SSO)

In this step, you need to provide you organization subdomain information:

  1. In the Configure Single Sign-on (SSO) section, select Configure.

    SSO step 1

  2. Enter your organization's subdomain name, for example, yourcompany.productsup.com, and select Continue.

    General information for SSO

  3. Copy the Entity ID and Sign on URL and Reply URL (ACS URL) using the Copy buttons and paste them into your IdP's admin console. Select Continue.

    SSO configure

  4. Drag and drop your IdP's metadata XML file or select Browse to add the file from your computer. Select Finish.

    SSO configure IdP

    Note

    The platform fills out the Entity ID/Issuer and SSO URL fields automatically, but your IdP's XML file must contain the Productsup Entity ID and SSO URL.

  5. You have now configured SSO. Continue with Enable Single Sign-on (SSO).

    SSO configured

Enable Single Sign-on (SSO)

In this step, you can enable SSO and test it to ensure everything works correctly and all users in your organization can access the platform via SSO.

  1. Select Enable.

  2. A pop-up window appears with the following message:

    By enabling SSO, you can start testing for your organization. Testing SSO allows users in your organization to confirm if they can log in via Single Sign-on without issue.

    Note: Once you enable testing, if a user attempts to log in to your Productsup instance via SSO using an email address not associated with a Productsup user, we will use Just-In-Time (JIT) provisioning. This automates user account creation with basic permissions.

    Enable SSO confirmation message in Productsup

    Note

    Just-In-Time (JIT) is an authentication method that automates user account creation using the information from the IdP.

  3. Select Enable in the pop-up window to turn on SSO.

  4. You have enabled SSO. To test it, see the next step Test the SSO setup.

    SSO enabled

Test the SSO setup

To test your SSO setup, select Copy next to the SSO URL and try to log in using SSO.

SSO testing

Note

Before testing, log out of the account, use the incognito mode or another browser.

If you don't want to enforce SSO for your users, you can stop here and share the copied subdomain URL with your users to let them log in via the URL. Or they can still log in using their Productsup credentials.

Enforce SSO

In this step, you can choose to enforce SSO. Enforcing SSO enables your users to log in only via SSO, not with the Productsup credentials. Ensure the user accounts are compatible with your SSO Identity Provider. For example, the user's registered platform email must match the SSO IdP, such as an Outlook email address must match the Outlook IdP.

If you invite a user to an additional organization that isn't SSO enforced, they may still log in via an email and password.

Warning

Once you enforce SSO, you can't remove the enforced SSO configuration. Contact support@productsup.com if you need to remove the enforced SSO settings.

To enable enforced SSO:

  1. Select the needed option:

    1. Enforce for account users enforces SSO for all users of the organization.

      Enforce SSO options

    2. Enforce for only company domain enforces SSO for emails with specific domain names.

      • In Domain name, enter one or multiple domain names separating them with ##.

      SSO enforcement for only company domains

  2. Select I have tested the SSO, and I'm ready to enforce it now. This checkbox activates the Enforce button.

  3. Select Enforce. In the pop-up window, enter the same organization's subdomain name that you entered in the step Test the SSO setup. Select Enforce to confirm the SSO enforcement.

    Enforced SSO confirmation message in Productsup

  4. You have now turned on SSO for users in your organization.

In this section: