Request a TEST Workspace
- Send an email to email@example.com requesting a workspace on which to test SSO. Include this information in the email:
- Your IdP URL
- Your IdP vendor. For instance:
- Your public certificate in Base64 format
- The key size you require, either 1024 or 2048 bit.
- Whether you require that the AuthnRequest be digitally signed
- The Anaplan login — your email address — for one or more Exception Users, such as you or the Anaplan Administrator.
- Optionally, a SAML Logout URL. The default behavior is that when an end-user logs out of Anaplan, that end-user is redirected to a static single sign-on page from which the end-user can log in to Anaplan using the Friendly URL. The Anaplan administrator has the option of specifying a SAML Logout URL, which causes the end-user log-out action to also log out that end-user from the SAML the identity provider (IdP).
As soon as Anaplan Support establishes a test workspace for SAML SSO, the standard login mechanism of entering a username and password at the Anaplan URL returns only the workspaces for which SSO is not enabled. An Exception User, however, CAN still log in to Anaplan at the Anaplan URL, https://sdp.anaplan.com/frontdoor/login, using their username and password and access workspaces for which SSO is enabled. This is useful in case SSO access from the Friendly URL is not working properly.
NameIDis configured to be sent across to Anaplan and matches the same email address as registered on Anaplan. Format as below:
NameIDMUST contain the same email address as that registered on Anaplan. This is required for SSO to work.
- Anaplan SP URL
- Anaplan metadata for the Anaplan service provider that can be configured on the customer IdP
- Your "Friendly URL", such as https://sdp.anaplan.com/frontdoor/saml/[yourcompanysaml]
- The Anaplan SSO server has been configured correctly, so:
- at least one workspace is associated to the SSO server.
- the user accessing through single sign-on has been associated with that SSO workspace.
- the Client IdP has consumed the metadata and the metadata provided is correct.
- the SAML assertions being passed from the IdP are known standards and therefore can be validated by the SP.
- that the SAML attribute nameid has been configured correctly as the Anaplan associated email address.
- if using ADFS, the relevant Claim Rules have been configured. Anaplan Support can supply these on request.
- You can use pre-production IdP URLs and pre-production certificates.
- If you also require your own pre-production or proof-of-concept workspace to test connectivity, contact Anaplan.
SSO for Production Workspace
When connectivity with the TEST workspace has been tested successfully and you are ready to move forward, request that Anaplan Support change your workspace from pre-production to production certificates and URLs. Migrate your PRODUCTION workspace to the SAML service.