Skip to main content
Planview Customer Success Center

Enable Single-Sign-On (SSO)

Enabling Single-Sign-On (“SSO”) for your AgilePlace account will allow your users to access the account without having to use a separate AgilePlace username and password. SSO is included in AgilePlace.           

How Does SSO Work?

When SSO is enabled and configured for your AgilePlace account, logging in to the account is simple:

  1. Users go to the URL of their AgilePlace account where they will see a Continue button instead of the usual username and password fields.
  2. After clicking the Continue button, users are either taken straight into the account, or directed first to a login page for your organization’s authentication mechanism, depending on how SSO is configured, after which they are taken into the account.

There are three parties involved in the SSO process:

  • The principal (the AgilePlace user),
  • The service provider (“SP”) (in this case AgilePlace), and
  • The identity provider (“IdP”) (authentication service operated by the customer).

AgilePlace’s SSO system uses Security Assertion Markup Language (“SAML”) to authenticate users with your organization. SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between systems, in this case, between your IdP and your SP, AgilePlace.

AgilePlace currently supports SAML version 2.

There are two ways that the SSO feature can be configured for users to sign in to AgilePlace:

Being redirected to sign in to your IdP:

  1. The user goes to your AgilePlace URL and clicks Continue.
  2. They are then redirected to an external login page generated by your IdP.
  3. The user will then enter their company credentials in your login form.
  4. Then your IdP sends an encrypted SAML response to AgilePlace’s servers.
  5. AgilePlace decrypts this response using your Public Signing Certificate.
  6. In the decrypted response AgilePlace finds the user identifier (email or external user ID) and checks it against the AgilePlace account.
  7. Finally, If the user identifier matches with the AgilePlace account, the AgilePlace system allows the user into the AgilePlace account.

Being taken directly into the account:

  1. The user goes to your AgilePlaceURL and clicks Continue.
  2. AgilePlace servers then send a SAML request to your IdP.
  3. The request includes information about the AgilePlace account being accessed.
  4. your IdP sends an encrypted SAML response to AgilePlace’s servers.
  5. AgilePlace decrypts this response using your Public Signing Certificate.
  6. In the decrypted response AgilePlace finds the user identifier (email or external user ID) and checks it against this AgilePlace account.
  7. Finally, if the user identifier matches with the AgilePlace account, the AgilePlace system allows the user into the account.

Turn on SSO in your AgilePlace Account

To have SSO turned on for your AgilePlace account, email support@leankit.com. We’ll need a few things from you so that the process goes as quickly and easily as possible.

What You Need from Us

  1. AgilePlace’s external login URL format: https://<OrgHostName>.leankit.com/Account/Membership/ExternalLogin

Optionally:

  • Your security engineer can use this file to automate SAML configuration in your IDP system. The file will need to have the the 'hostname' text edited in two places within the file to match the hostname of your AgilePlace account.

What We Need from You:

  1. The external login URL: a login page for your IdP to which we would redirect users; and
  2. Your Public Signing Certificate, with which we’ll decrypt the SAML responses

Here’s an easy request you can copy and paste, include your own information, and send to support via email:

I would like to turn on SSO for [LeanKit domain].
The external login URL is: [provide URL here].
Our Public Signing Certificate is attached to this email [attach Public Signing Certificate].

Questions or comments about the SSO enablement process should be directed to the Support Team (support@leankit.com).

Things to be aware of when enabling SSO:

  1. Once enabled, all user passwords will be reset to a random value, breaking any current integrations you may be using via the API. To avoid this, please provide us a list of active API users so we can exclude them from this reset
  1. Once your request has gone through, our Support team will provide you with a AgilePlace SSO test account so that you can point your IDP to the correct place.
  2. Adding users to a AgilePlace Account after SSO is enabled requires the Admin to manually create each new user (first name, last name, email address, time zone, and a randomized password). You can no longer invite via email address.