Using SAML SSO with Tracker

If your organization uses a SAML-based Single Sign On (SSO) service to manage access to applications, Tracker can integrate with your identity provider (IdP) so that access is explicitly managed via your IdP.

Tracker currently offers SAML SSO to customers who subscribe to an Enterprise plan. SSO and other Enterprise features are not currently available as part of the Free trial, Startup plans, or Pro plans at this time.

Configuring your IdP for SAML SSO

Upon subscribing to an Enterprise plan, the Tracker Support team can enable SSO for your account. Before we can do that, you’ll need to send a copy of your IdP’s metadata to tracker@pivotal.io so we can upload it to your account. We will also need to know any email domains that will need to be whitelisted.

Using Tracker’s metadata endpoint

If your IdP supports using a metadata endpoint, you can skip the Service Providers (SP) details section below in favor of using https://www.pivotaltracker.com/auth/saml/metadata.

The metadata endpoint will always transmit the public key to our signing certificate, which some IdPs can use to check our signature on signed SAML AuthNRequests. However, by default we do not sign our AuthNRequests. If you require for yours to be signed, please email us at tracker@pivotal.io and we’ll take care of that for you.

Service Provider (SP) details

If your IdP does not support using a metadata endpoint/URL, please configure an application within your IdP with the following SP details:

  • Assertion consumer service (ACS)/Single Sign-On URL: https://www.pivotaltracker.com/auth/saml/callback
  • Audience URI/SP Entity ID: https://www.pivotaltracker.com
  • Default RelayState: {"account_id":your_Tracker_account_id} Optional if we will be whitelisting your email domain. Your account ID can be found on your Account Settings page.
  • Name ID format: EmailAddress Email addresses tend to change occasionally (e.g., when someone changes their name), so it’s preferable to have a unique, unchanging user ID here.
  • Application username: Email If field is not present in your IdP interface, OK to skip.

Custom user attributes

Tracker requires certain basic user attributes to be sent in the SAML response. After configuring an application for Pivotal Tracker within your IdP, the following basic user attributes will need to be defined:

  • email: The user’s email
  • first_name: The user’s first name
  • last_name: The user’s last name
  • id: The user’s ID (any unique identifier for the user that never changes)

Testing SP- and IdP-initiated login

After all the steps above have been completed, it’s time to test out SP- and IdP-initiated login! By now you would have already provided us with any email domains you’d like whitelisted for SSO, and we would have “soft-whitelisted” them for your account. Soft-whitelisting allows us to perform testing on your Enterprise account without forcing all users with your company domain(s) to be redirected to your IdP sign-in portal.

  • To test SP initiated sign in: Please have someone on your end (who shares your company domain and is an active user within your IdP) visit your Tracker subdomain (yourcompanyname.pivotaltracker.com) and attempt to sign in. If you’re not sure what your Tracker subdomain is, reach out to us and we’ll let you know.
  • To test IdP-initiated sign in: Please have someone from your end (who’s been assigned the Pivotal Tracker application you previously created) attempt to access Tracker through your IdP user portal.

If both sign-in attempts are successful, it’s now time for the Tracker Support team to enable SSO for the entire account (if not, we will work with you to troubleshoot any issues). If you prefer that happen on an agreed upon date/time, just let us know.

Important notes about Tracker SSO

  • Tracker supports JIT provisioning. This means that once SSO is enabled, if a member of your organization doesn’t already have a Tracker login, when they attempt to sign in we will automatically create a user for them.
  • Tracker can support/whitelist multiple company email domains signing in via SSO.
  • Once SSO is enabled, anyone that does not have the company domain will be considered an external “guest.” Guests will still be able to access projects they are already members of, and will only have access to projects they’re explicitly invited to. Guests can only be project members—never account members—and cannot search/find/self-join projects in the Enterprise account. Guests will always sign in using their regular Tracker credentials, not SSO.
  • Users with the company domain will not be able to own or have admin rights on any other accounts besides the Enterprise account. Because of this, any Tracker accounts owned by your users will need to be merged with the main Enterprise account before SSO can be enabled.
Previous
Enterprise overview
Next
Configuring ADFS with Tracker for SAML SSO