Request a TEST Workspace

  1. Send an email to requesting a workspace on which to test SSO. Include this information in the email:
    • Your IdP URL
    • Your IdP vendor. For instance:
    • Your public certificate in Base64 format
    • The key size you require, either 1024 or 2048 bit.
    • Whether you require that the AuthnRequest be digitally signed
    • The Anaplan login — your email address — for one or more Exception Users, such as you or the Anaplan Administrator.
    • Optionally, a SAML Logout URL. The default behavior is that when an end-user logs out of Anaplan, that end-user is redirected to a static single sign-on page from which the end-user can log in to Anaplan using the Friendly URL. The Anaplan administrator has the option of specifying a SAML Logout URL, which causes the end-user log-out action to also log out that end-user from the SAML the identity provider (IdP).

    As soon as Anaplan Support establishes a test workspace for SAML SSO, the standard login mechanism of entering a username and password at the Anaplan URL returns only the workspaces for which SSO is not enabled. An Exception User, however, CAN still log in to Anaplan at the Anaplan URL,, using their username and password and access workspaces for which SSO is enabled. This is useful in case SSO access from the Friendly URL is not working properly.

  2. Make sure the SAML attribute NameID is configured to be sent across to Anaplan and matches the same email address as registered on Anaplan. Format as below:
    <NameID format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"></NameID>
    Important: NameID MUST contain the same email address as that registered on Anaplan. This is required for SSO to work.
  3. Wait for Anaplan Support to configure Anaplan's authentication system for a TEST workspace and provide you with the following information:
    • Anaplan SP URL
    • Anaplan metadata for the Anaplan service provider that can be configured on the customer IdP
    • Your "Friendly URL", such as[yourcompanysaml]
  4. Configure your IdP by applying the data in the meta-data file to register the Anaplan service provider (SP). How the IdP consumes this metadata is product-specific. The requirements for successful testing are:
    1. The Anaplan SSO server has been configured correctly, so:
      • at least one workspace is associated to the SSO server.
      • the user accessing through single sign-on has been associated with that SSO workspace.
      • the Client IdP has consumed the metadata and the metadata provided is correct.
      • the SAML assertions being passed from the IdP are known standards and therefore can be validated by the SP.
      • that the SAML attribute nameid has been configured correctly as the Anaplan associated email address.
      • if using ADFS, the relevant Claim Rules have been configured. Anaplan Support can supply these on request.
    2. A successful connection results in the display of the model tiles in the workspace(s) for which the user has SSO access. If no workspaces are visible for a user, this might be the result of incorrect workspace access for that user.
  5. Test SAML connectivity with the TEST workspace that Anaplan Support provided you by using one or two customer key users.
    • You can use pre-production IdP URLs and pre-production certificates.
    • If you also require your own pre-production or proof-of-concept workspace to test connectivity, contact Anaplan.

SSO for Production Workspace

When connectivity with the TEST workspace has been tested successfully and you are ready to move forward, request that Anaplan Support change your workspace from pre-production to production certificates and URLs. Migrate your PRODUCTION workspace to the SAML service.