SAML authentication with Anaplan
Security Assertion Markup Language (SAML) is an XML-based framework allowing communication between a Service Provider (SP) and an Identity Provider (IdP) to facilitate authentication (identifying a user logging in) and authorization (confirming the logged-in user has access).
Advantages of SAML
Using SAML provides:
- standardization with interoperability between systems, independent of implementation and removing common problems associated with vendor- and platform-specific architecture and implementation.
- an improved user experience that enables users to access multiple service providers by signing in once, without additional authentication for a faster experience at each service provider.
- an authentication system that eliminates password issues such as reset and recovery.
- increased security with a secure Identity Provider (IdP) is a single point of authentication. Credentials remain within the IdP’s firewall boundary.
- loose coupling of directories, meaning user information does not have to sync between directories.
SAML and Anaplan
SAML enables you to control authentication such that Anaplan does not store the passwords of your users. Note that your users are not required to be on your internal network. For an introduction to SAML, see http://wso2.com/library/articles/2014/02/introduction-to-security-assertion-markup-language-2.0.
In the SAML flow, Anaplan is a SP and your organization is an IdP. The steps with this section assume that Anaplan is the SP that initiates SAML authentication when the end-user clicks on the Friendly URL that Anaplan provides. Note that the Friendly URL format has specific configuration requirements
Anaplan implements the standard SAML 2.0 framework with support for these behaviors:
- Signed/unsigned AuthnRequests.
- A digital signature on the SAML authentication response (AuthnResponse) that is validated, with the message decrypted, if required.
- 1024 or 2048 bit keys.
- HTTP REDIRECT SAML binding profile for Idp assertions.
- SP Initiated SAML using HTTP REDIRECT (GET).
- Support for federation server vendors including Microsoft ADFS, Okta, and Ping Federate.
The SAML framework provides optional attributes. Minimally, the timestamp attributes are validated. If additional validations are required, development work can be done outside of the standard SAML 2.0 framework.