Single Sign-on (SSO)
In Anaplan, Single Sign-on (SSO) enables a user authenticated by a login other than the standard login mechanism at the Anaplan URL, to access multiple systems and environments using a single web browser session. Users therefore don't need to visit a login page for each system and environment.
As the Anaplan administrator for your organization, you can set up your environment for SSO access to Anaplan.com using the Security Assertion Markup Language (SAML) authentication protocol. Anaplan fully supports SAML 2.0 for SSO. This includes password complexity policies, time-of-day access windows, two-factor authentication, and any other controls required by your organization's security policy.
To set up Anaplan for SSO:
- Request a test workspace from email@example.com.
- Test and confirm the configuration.
- Contact firstname.lastname@example.org to arrange a time to migrate the configuration to your production environment.Warning: Once SSO is set up, users can only access Anaplan using SSO unless they are an Exception User. We therefore recommend that your organization assigns at least one exception user.Your business must schedule an appropriate time to enforce SSO. It is essential that your organization educates end-users on accessing the Friendly URL.
- Assign exception users.
For general information about SSO and SAML, see these pages on Wikipedia.org and the WSO 2 Library:
Anaplan is a service provider (SP ) and your organization is an identity provider ( IdP ). The steps with this section assume that Anaplan is the SP that initiates SAML authentication when the end-user clicks on the Friendly URL that Anaplan provides.
Anaplan implements the standard SAML 2.0 framework with support for these behaviors:
- Signed/unsigned AuthnRequests.
- A digital signature on the SAML authentication response (AuthnResponse) that is validated, with the message decrypted, if required.
- 1024 or 2048 bit keys.
- HTTP REDIRECT SAML binding profile for Idp assertions.
- SP Initiated SAML using HTTP REDIRECT (GET).
- Support for federation server vendors including Microsoft ADFS, Okta, and Ping Federate.