Single Sign-on (SSO)

In Anaplan, Single Sign-on (SSO) enables a user authenticated by a login other than the standard login mechanism at the Anaplan URL, to access multiple systems and environments using a single web browser session. Users therefore don't need to visit a login page for each system and environment.

As the Anaplan administrator for your organization, you can set up your environment for SSO access to using the Security Assertion Markup Language (SAML) authentication protocol. Anaplan fully supports SAML 2.0 for SSO. This includes password complexity policies, time-of-day access windows, two-factor authentication, and any other controls required by your organization's security policy.

To set up Anaplan for SSO:

  1. Request a test workspace from
  2. Test and confirm the configuration.
  3. Contact to arrange a time to migrate the configuration to your production environment.
    Warning: Once SSO is set up, users can only access Anaplan using SSO unless they are an Exception User. We therefore recommend that your organization assigns at least one exception user.
    Your business must schedule an appropriate time to enforce SSO. It is essential that your organization educates end-users on accessing the Friendly URL.
  4. Assign exception users.
Note: Setting up SSO normally takes less than one business week depending on your environment and timely responses to information requested by Anaplan Support.

For information about the way in which Anaplan uses SAML, see SAML Authentication with Anaplan and Key Terms.

For general information about SSO and SAML, see these pages on and the WSO 2 Library:

SAML Authentication with Anaplan

SAML is a way for you to control authentication such that Anaplan does not store the passwords of your users. Note that your users are not required to be on your internal network. For an introduction to SAML, see

Anaplan is a service provider (SP ) and your organization is an identity provider ( IdP ). The steps with this section assume that Anaplan is the SP that initiates SAML authentication when the end-user clicks on the Friendly URL that Anaplan provides.

Anaplan implements the standard SAML 2.0 framework with support for these behaviors:

  • Signed/unsigned AuthnRequests.
  • A digital signature on the SAML authentication response (AuthnResponse) that is validated, with the message decrypted, if required.
  • 1024 or 2048 bit keys.
  • HTTP REDIRECT SAML binding profile for Idp assertions.
  • SP Initiated SAML using HTTP REDIRECT (GET).
  • Support for federation server vendors including Microsoft ADFS, Okta, and Ping Federate.
The SAML framework provides optional attributes. Minimally, the timestamp attributes are validated. If additional validations are required, development work can be done outside of the standard SAML 2.0 framework.