Skip to main content

Set up Single Sign-on (SSO)

Turn on Single Sign-on (SSO) in the Productsup platform to let your users log in to multiple related applications with the same login credentials.

Introduction

As an admin user, you can configure Single Sign-on (SSO) in Settings in Productsup to let the users within your organization log in to all related applications with one set of login credentials.

Tip

Learn more about the SSO benefits and use cases on our Academy website by taking the video course User authentication and management.

There are three variants of login for users in Productsup:

  1. Regular login lets users log in using their Productsup credentials. This option is available to all users before you configure the SSO.

    Regular login screen
  2. Enabled SSO lets users log in with either Productsup or SSO credentials. This option is available when you enable SSO but still haven't finalized the configuration. You can stop the SSO configuration process on this step if you want to enable SSO in parallel with regular login. This step also lets you test your SSO before proceeding to enforced SSO.

  3. Enforced SSO lets users only log in using SSO credentials. This option is available as soon as you finalized the SSO configuration process and enforced Single Sign-on.

    Warning

    Once you set up enforced SSO, you cannot remove it and roll back to the previous step. Contact support@productsup.com if you need to remove the enforced SSO settings.

    To log in with enforced SSO, users have two options:

    1. Go to subdomain.productsup.com specific for your organization that you share with users after enabling SSO, and get to the Productsup login page with the SSO login button. Selecting the button, the users land on the IdP login page where they must provide their IdP credentials, such as Google account login and password.

    2. Go to platform.productsup.com and enter the email associated with the Productsup account. If their account has enforced SSO, the platform redirects them to the Productsup login page with the SSO login button. See Option 1.

    Enforced SSO login

Prerequisites

To set up SSO, you need:

  1. An account with an Identity Provider (IdP), such as Google, Azure, AWS, etc.

  2. The admin access rights to your IdP account interface to set up SSO for users in your organization.

  3. The Identity Provider (IdP) metadata file. See Prepare the IdP metadata file.

  4. The admin access rights in Productsup.

Prepare the IdP metadata file

Identity Provider (IdP) is a service that stores and verifies user identity.

To use the SSO feature in Productsup, you must upload your IdP metadata file to the platform. The Productsup platform then creates metadata information for you to share with your IdP. When the configuration is ready, Productsup, as an SSO provider, checks user identity with the IdP when users log in.

For example, to learn how to get the IdP file from Azur, see Configure Azure AD SSO.

The IdP metadata XML file that you receive from your IdP should contain the following: 

  • IdP Entity ID

  • Certificate

  • SSO URL

  • Redirect URL

The service provider metadata XML file contains the service provider:

  • Entity ID

  • Redirect URL

  • Logout URL

  • SSO Assertion Consumer Service URL

Set up SSO

To set up SSO to Productsup for your organization:

  1. Go to Settings from account's main menu.

  2. Go to the Single Sign-on tab and take the following steps:

Configure Single Sign-on (SSO)

In this step, you need to provide information about your Identity Provider (IdP):

  1. In the Configure Single Sign-on (SSO) section, select Configure.

    SSO step 1
  2. Choose your Identity Provider: Google, Azure, or Other.

  3. Enter your account's subdomain name, for example, yourcompany.productsup.com, and select Continue.

    General information for SSO
  4. Copy the Entity ID and Sign on URL and Reply URL (ACS URL) using the Copy buttons and paste them into your IdP's admin console. Select Continue.

    SSO configure
  5. Drag and drop your IdP's metadata XML file or select Browse to add the file from your computer. Select Finish.

    SSO configure IdP

    Note

    The platform fills out the Entity ID/Issuer and SSO URL fields automatically, but your IdP's XML file must contain the Productsup Entity ID and SSO URL.

  6. You have now configured SSO. Continue with Enable Single Sign-on (SSO).

    SSO configured

Enable Single Sign-on (SSO)

In this step, you can enable SSO and test it to ensure everything works correctly and all users in your organization can access the platform via SSO.

  1. Select Enable.

  2. A pop-up window appears with the following message:

    By enabling SSO, you can start testing for your organization. Testing SSO allows users in your organization to confirm if they can log in via Single Sign-on without issue.

    Note: Once you enable testing, if a user attempts to log in to your Productsup instance via SSO using an email address not associated with a Productsup user, we will use Just-In-Time (JIT) provisioning. This automates user account creation with basic permissions.

    Enable SSO confirmation message in Productsup

    Note

    Just-In-Time (JIT) is an authentication method that automates user account creation using the information from the IdP.

  3. Select Enable in the pop-up window to turn on SSO.

  4. You have enabled SSO. To test it, see the next step Test the SSO setup.

    SSO enabled

Test the SSO setup

To test your SSO setup, select Copy next to the SSO URL and try to log in using SSO.

SSO testing

Note

Before testing, log out of the account, use incognito mode or another browser.

If you don't want to enforce SSO for your users, you can stop in this step and share the copied subdomain URL with your users to let them log in via it. Or they can still log in using their Productsup credentials.

Enforce SSO

In this step, you can choose to enforce SSO. Enforcing SSO enables your users to log in only via SSO, not by the Productsup credentials. Ensure the user accounts are compatible with your SSO Identity Provider. For example, the user's registered platform email must match the SSO IdP, such as an Outlook email address to an Outlook IdP.

If you invite a user to an additional Productsup account that isn't SSO enforced, they may still log in via an email and password.

Warning

Once you enforce SSO, you can't remove the enforced SSO configuration.

To enable enforced SSO:

  1. Select the needed option:

    1. Enforce for account users enforces SSO for all users of the account.

      Enforce SSO options
    2. Enforce for only company domain enforces SSO for emails with the specific domain names.

      • In Domain name, enter one or multiple domain names, separating them with ##.

      SSO enforcement for only company domains
  2. Select I have tested the SSO, and I'm ready to enforce it now. This checkbox only activates the Enforce button.

  3. Select Enforce. In the pop-up window, enter the same account's subdomain name that you entered in step Test the SSO setup. Select Enforce to confirm the SSO enforcement.

    Enforced SSO confirmation message in Productsup
  4. You have now turned on SSO for users in your organization.