Set up Single Sign-on (SSO)

Turn on Single Sign-on (SSO) in the Productsup platform so that your users can log on to multiple related applications with one set of login credentials.

Introduction

As an admin user, Productsup lets you turn on Single Sign-on (SSO) so your users can log in to multiple related applications using one set of login credentials. You can set up and manage SSO permissions directly from your system and make SSO available to your users in the Productsup platform.

There are two stages of login options for users before you complete the SSO setup at the third stage:

  1. Regular login screen requires users to log in using their Productsup credentials.

  2. Enabled SSO, as set by an admin. Users can log in with either Productsup or SSO credentials.

  3. Enforced SSO setup complete, as set by an admin. Users can only log in using SSO credentials.

    Figure 1. Regular login
    Regular login



    Figure 2. Enabled SSO, email and SSO login
    Enabled SSO, email and SSO login



    Figure 3. Enforced SSO setup
    Enforced SSO setup



Requirements

  1. You have an account with an Identity Provider (IdP), for example, Google, Azure, AWS, etc.

  2. You have admin access to your IdP account/interface to set up SSO for users in your organization.

IdP metadata file

To use the SSO feature in the Productsup platform, you must upload your IdP metadata file to the platform. Next, you need to share the IdP metadata configuration information with the service provider. Productsup acts as the service provider. The Productsup platform then creates metadata information for you to share with your IdP.

The IdP metadata XML file you receive from your Idp should contain the following: 

  • IdP entity ID

  • certificate

  • SSO URL

  • redirect URL

The service provider metadata XML file contains the service provider:

  • entity ID

  • redirect URL

  • logout URL

  • SSO Assertion Consumer Service URL

Perform the next steps in the following sections to set up and turn on SSO for your organization.

Configure SSO

To configure SSO, first, start by choosing and adding your Identity Provider (IdP) metadata.

  1. Go to Settings from your account’s main menu.

    Configure SSO in Productsup
  2. First, choose an Identity Provider (IdP) by selecting Google, Azure, or Other.

  3. Next, enter your account's subdomain name. For example, yourcompany.productsup.com and select Continue.

    Choose an IdP for SSO in Productsup
  4. Copy the SSO Assertion Consumer URL and Entity ID URLs and paste them into your IdP's admin console. Once you copy a URL, a pop-up confirmation message appears. Select Continue.

    Copy SSO Assertion Consumer URL to pass to IdP in Productsup
  5. Finally, click and drag to upload the IdP metadata XML file you received from your IdP. To manually upload it instead, select Browse to locate the file, then select Finish.

    Note

    The XML file for upload must contain the Entity ID URL and the SSO Assertion Consumer URL to continue.

    Upload metadata XML file for SSO in Productsup

You have now configured SSO. Continue with Enable SSO for testing.

SSO configured in Productsup

Enable SSO

You can enable SSO without enforcing it to ease your organization's transition to logging in via SSO. During this phase, you can test the SSO configuration to make sure everything works as planned. Your users can either log in with their Productsup credentials or with an SSO Identity Provider (IdP) password. They are no longer able to log in to Productsup via the Continue with Google feature. Users that don’t have a Productsup password can create one by selecting Forgot Password on the Productsup login page.

Once you have confirmed that all users can log in via SSO, you can require that all users always log in with SSO once you finalize your SSO configuration.

  1. Select Enable to turn on SSO and begin testing it for users in your organization.

After selecting Enable, a pop-up window with the following message appears:

By enabling SSO, you can start testing for your organization. Testing SSO allows users in your organization to confirm if they can log in via Single Sign-on without issue. Once you enable testing, if a user attempts to log in to your Productsup instance via SSO using an email address not associated with a Productsup user, we will use Just-In-Time (JIT) provisioning. This automates user account creation with basic permissions.

Enable SSO confirmation message in Productsup

JIT is an authentication method that automates user account creation. It uses information passed from the IdP to the service provider to create a user account.

Note

Once you begin testing, users are no longer able to log in via Google sign-in. They can only log in using their IdP or Productsup password.

SSO enabled confirmation in Productsup

Enforce SSO

After the Enable SSO phase, you can now choose to enforce SSO. Enforcing SSO permanently deletes all existing user passwords. After this point, you can’t edit the SSO configuration or restore deleted passwords.

  1. Select Enforce to turn on SSO. Enter the same account's subdomain name that you entered in step 3 to confirm turning on SSO. Again, select Enforce.

    Enforce SSO confirmation in Productsup

You have now successfully turned on SSO for your organization.

SSO enforced confirmation in Productsup

Log in using SSO

Once an admin enforces SSO on your account, you can now only log in using SSO. Contact your admin for access to Projects or Sites.

Productsup platform SSO login, as set by an admin