Skip to content
English
Ask a Question
  • There are no suggestions because the search field is empty.

How to Enable SAML Single Sign-On (SSO)

Centralize user management with SAML single sign-on.

 

SSO Identity Providers Enable SAML TXT Record Lookup Manual TXT Records
TXT Record Test Microsoft Azure Okta FAQs

SAML is only available on the Enterprise edition, learn more

When you configure SAML SSO for a domain, all users on this domain will be required to log in via SAML.  Because this changes authentication for everyone at a domain, you must first prove that you own the domain before ProjectManager will switch all users to SAML login.

Supported SSO Identity Providers

ProjectManager supports the following SAML Single-Sign-On (SSO) identity providers:

  • Google
  • Okta
  • Azure
  • Ping

You also may be able to use any provider that is SAML 2.0 compliant, but we recommend the above providers.

How to Enable SAML SSO on Your ProjectManager Account

  1. To enable SAML SSO on your account, navigate to your avatar in the bottom left-hand corner and select “Account” and then “Security.” Users who have access to the “Accounts and Billing” page will be able to update SAML SSO settings. Use the toggle to turn on SAML SSO and then click “Configure.”
  2. Copy the values from the ProjectManager SSO page into your provider's configuration.  Note that some SAML providers may use different names for the same things; you may need to consult with your SAML provider's documentation to verify the correct names. See the bottom of this page for examples of common providers.
  3. Then, find your provider’s login URL and certificate. Paste that information into our app in the “SAML Signing Certificate” section.
  4. Finally, click “Save” and log out of ProjectManager. You can now log in using the SAML sign-on URL or our login page, and the system will recognize your settings and direct you to your provider’s login page. Your provider's settings will override any login settings you have set such as two-factor authentication or strong password settings.

image (2)-Jul-27-2023-04-09-20-8763-PM

Find your provider’s login URL and certificate. Paste that information into our app in the “SAML Signing Certificate” section. Finally, click “Save” and log out of ProjectManager.

Setting Up a TXT Record to Verify Domain Ownership

Why do I need to verify my domain ownership with a TXT record?  ProjectManager uses email addresses instead of usernames. Because you can invite a person to your account by that person's email address, we cannot allow SAML providers to authenticate users for domains they do not prove that they own.

To prevent unauthorized users from gaining access to your account by using a malicious SAML provider, you're required to prove that you own a domain before you can set up SAML for that domain.

The way you prove that you own a domain is by adding a TXT record containing a certificate token.  First, type your domain name in the 'add a domain' box under Domain Settings and click the Add button.

Your domain name will now appear with a yellow indicator next to it.  This indicator tells us that ProjectManager has attempted to automatically verify the TXT record for your domain, but it has not yet succeeded.

Next, click the key symbol next to your domain name to copy the TXT record value. You'll then need to work with your IT department to configure this TXT record on your domain. Your IT department will know how to configure a TXT record. 

When the TXT record exists, open up this same page and the yellow indicator will be green.  If the indicator remains yellow, it means that an automatic check does not yet see your TXT record.  You can verify whether the TXT record is visible to the outside world by using any DNS TXT record lookup tool. 

Note: SAML Single Sign-On is only available on Enterprise plans. Need access? Upgrade your account today.

How to Check for a Valid TXT Record Manually

ProjectManager automatically checks your DNS TXT record every time you open the SAML configuration page.  If the indicator is yellow, that means ProjectManager cannot yet see the correct TXT record for your domain.

If your IT department thinks it has set up the TXT record correctly, you can use tools like MxToolbox.com can help check if your IT department has set up the required TXT record and if it is visible to the world:

  1. Visit https://mxtoolbox.com/SuperTool.aspx
  2. In the "Lookup Anything" box, type txt:mydomain.com - of course, replace mydomain.com with your domain name.  Note that this should be the domain name tied to your email address - if your email is person@mydomain.com, the value should be mydomain.com.
  3. Click the orange lookup button.
  4. If your IT department has configured the domain correctly, you'll see an entry in the box with type TXT, domain name mydomain.com, and record projectmanager:<certificate>
If you can see the TXT record, and if the text of the record exactly matches the value copied from the SAML configuration screen, then your TXT record validation indicator will turn green and you will be able to turn on SAML.

How to Use the Free Online DNS TXT Record Lookup Tool MXToolbox.com

This will help check if your IT department has set up the required TXT record.

  1. Visit https://mxtoolbox.com/SuperTool.aspx
  2. In the "Lookup Anything" box, type txt:mydomain.com - of course, replace mydomain.com with your domain name
  3. Click the orange lookup button
  4. If your IT department has configured the domain correctly, you'll see an entry in the box with type TXT, domain name mydomain.com, and record projectmanager:<certificate>

Setting Up SAML for Microsoft Entra ID

Microsoft Entra ID was formerly known as Azure Active Directory.

For Microsoft Entra ID, follow the instructions here. Start by going to Entra ID > Enterprise apps > All applications

In one web browser window, edit the ProjectManager.com enterprise application in Microsoft Entra.  In another web browser window, open ProjectManager.com and click on Security | SAML SSO.  Click the enable toggle next to "SAML SSO" in the ProjectManager.com security screen.
 
In Microsoft Entra, create a new Enterprise Application and give it the name "ProjectManager.com".  In the Microsoft Entra enterprise application edit screen for ProjectManager.com, click on the "Manage > Single sign-on" tab in the left navigation. You should now see a selection of boxes with the numbers 1, 2, 3, and so on.  Click on "Edit" next to "Basic SAML Settings" screen in Microsoft Entra.
  • In the "Identifier (Entity ID)" field, use the value labeled "Identifier (Entity ID)" from the ProjectManager SAML configuration screen.
  • In the Reply URL, use the value labeled "Sign On URL" from the ProjectManager SAML configuration screen.
  • In the Sign-On URL, use the value labeled "Sign On URL" from the ProjectManager SAML configuration screen.  This will be the same as the Reply URL.
  • In the Logout URL, use the Logout URL from the ProjectManager SAML configuration screen.
Next, you should copy the values from Microsoft Entra and save them to ProjectManager.com's SAML setup screen.
  • In section 4, "Set Up ProjectManager.com," copy the value in the "Login URL" box and paste it into the ProjectManager "SAML Login URL" box.
  • Download your Base64 encoded certificate from Entra ID. You may need to approve the download, as certificates are often considered sensitive. Make sure the file successfully downloaded to your computer as a .cer file. Next, you must edit the .cer file in Notepad and copy and paste its contents into the ProjectManager "Certificate (Base64)" box. 
  • Click the "Save" button at the bottom of the screen first before enabling SAML.

Setting Up SAML for Okta

  1. Settings from Okta into ProjectManager
    1. Click on the "Applications" screen inside Okta, and open up the application for ProjectManager.
    2. Under the heading "Metadata Details", copy the value labeled Sign-on URL.  Paste this into ProjectManager's SAML Login URL box.
    3. Next to the label "Signing Certificate," there's a download box. Click on this and download the certificate.  Paste this certificate into ProjectManager's "Certificate (Base64)" box.
  2. Settings from ProjectManager into Okta
    1. In ProjectManager, click on your name in the lower left corner, then select "Account," then click on the "Security" tab.
    2. Enable SAML SSO.
    3. Copy the value labeled "Sign On URL" and paste it into three locations in Okta - the Single Sign-On URL box, the Recipient URL box, and the Destination URL box.
    4. Copy the value labeled "Identifier (Entity ID)" and paste it into Okta's Audience Restriction box.

Note: SAML Single Sign-On is only available on Enterprise plans. Need access? Contact sales to upgrade your plan.

Frequently Asked Questions

I've completed the process, but when I log in via SAML I get an error.

This often happens when the TXT record domain verification process is incomplete.  Please double-check that the ProjectManager SAML page shows a green check mark next to your domain name.  If a green check mark is not present, please retry the TXT record verification process.

Once a green checkmark appears, please save the SAML configuration page again.  You may need to edit a text box on the screen to get the "Save" button to be enabled; you can add a space to one of the text boxes and then delete the space.

What is the Provisioning URL box in ProjectManager?

Some security systems provide an automated provisioning mechanism for SAML.  If your product supports this feature, you should be able to complete the provisioning process using this URL.  

If your product doesn't have an automated provisioning feature, please ignore this box.

How can I test my SAML implementation?

When you are ready to begin using SAML, it helps to have a plan for how you will test your connection. As your global account administrator follow the steps above, be sure to check your login process so you know that it is working as expected.

Depending on your company's security policies, you may choose to follow one of these approaches:

Remain Logged In While Testing

  • Global account administrator logs onto both ProjectManager and your identity provider
  • Administrator configures and enables SAML
  • Administrator opens a new "incognito" window to test SAML
  • If it works, ask other team members to test SAML
  • If other team members can connect, then you can declare SAML setup complete
  • The administrator is now free to close browser windows and log out
  • If for some reason your SAML support becomes broken after the initial configuration, contact ProjectManager support and request that SAML be turned off

Separate Administrator Account

  • Designate one global account administrator that uses an email address not tied to your domain - such as a Google email address or secondary domain
  • This global person can continue to authenticate without using SAML even if SAML breaks
  • If you need to enable or disable SAML, that global account administrator will still be able to log in and make changes to your account

I'm using Duo Security, how can I set the Name ID format correctly?

  • In the field "Name ID Format", choose urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

If you have any questions about setting up SAML Single-Sign-On with ProjectManager, please email support@projectmanager.com.