Skip to main content

 

Planview Customer Success Center

Authentication With Identity Providers (SSO)

Integration With Identity Providers

See also Automatic Allocation of Requestor Licenses to New or Suspended Users via SSO Login

This page is intended for AdaptiveWork Admin users integrating AdaptiveWork with identity provider applications and includes the following sections:

About AdaptiveWork SAML Integration Infrastructure

AdaptiveWork provides out-of-the-box Single sign-on (SSO) solutions utilizing an infrastructure that enables integration with any SAML and SAML2 compliant identity provider.

Integrating an SAML-based SSO

In order to integrate SSO capabilities there are actions required both on AdaptiveWork and on the IDP side as detailed ahead.

AdaptiveWork Side

  1. Go to Settings⇒Global Settings
    Under Federated Authentication click edit
  2. Enable the 'Use Federated Authentication' checkbox


  3. Upload the Certificate:
    • Should be exported for the specific Identity Provider solution
    • .pem and .cer certification formats are supported


  4. Set the SAML end point in the Sign-in URL field:
    • Should be provided by specific Identity Provider solution
  5. [Optional] Set the Sign-out URL, which is the URL to which you will automatically be redirected when signing out of AdaptiveWork
  6. [Optional] Change the Relaying Party Identifier (Issuer/Entity ID) from the default "AdaptiveWork"
  7. Define who can access AdaptiveWork with a user name and password instead of via SSO only.
    From the Enable Password Authentication menu select:
    1. No one (except Administrators)
    2. External users
    3. Internal users
    4. Everyone - both External and Internal users (default)
  8. [Optional] Define whether to allow API access to AdaptiveWork using SSO, to enable select the Enable API access checkbox
  9. [Optional] Define whether to skip the login page, allowing direct access to unauthenticated users when accessing specific pages in AdaptiveWork (for example: by clicking a link received in an email which contains the Organization ID), to enable select the Unauthenticated User URL redirect checkbox
  10. There are several advanced options available as detailed below
  11. Access to AdaptiveWork via an SSO is achieved via a special link and not via the AdaptiveWork login page:
    • Once the Federated Authentication settings are defined within AdaptiveWork, this link will be added to the AdaptiveWork login page under the login section.
    • The link is presented in the following format and depends on your environment as detailed above:
      https://eu1.clarizen.com/AdaptiveWork/Pa...ntityId=999999
      Where 999999 is the internal ID of your AdaptiveWork account.

IDP Side

Configure your identity provider.

Note: Each identity provider may use different terms for the parameters.

Alternatively, utilize the metadata download to import all of your settings to your IDP

  1. Configure your AdaptiveWork SAML end point (ACS - Assertion Consumer Service) based on the environment you are associated with:
  2. Ensure that the AdaptiveWork SAML ID for all of your identity provider's relevant users matches that user's AdaptiveWork user name field
    Usually the Identity Provider enables you to configure this through some type of rule (for example, the user's email)
  3. The Relaying Party Identifier (Issuer/Entity ID) should match the value set above in AdaptiveWork side, by default it is set to 'AdaptiveWork'

Advanced options

There are several advanced options available, the more commonly used options are explained below.

Note:

When utilizing the metadata download to import all of your settings to your IDP be sure to first complete all of your AdaptiveWork side setup and only then import the entire settings to your IDP

SAML ASSERTION Encryption

AdaptiveWork supports SAML assertion encryption.

In order to support SAML assertion encryption, you need to either upload your own private key certificate or use an encryption certificate that is internally generated, both of which allows us to decrypt the assertion.

To activate the encryption in AdaptiveWork:
  1. Complete Steps 1 and 2 detailed in the Integrating an SAML-Based SSO section above
  2. Open the SSO advanced options
  3. Choose the encryption certificate to be used, select the Encrypted via internal certificate option from the menu, or:
    1. Upload your own Private Key certificate

      Once uploaded, a confirmation password message will appear.


    2. Type the certificate's password and click
    3. Confirm that the Encrypted via uploaded certificate option is selected
  4. Click

Add encryption in your IDP:
  1. Open the AdaptiveWork Properties screen
  2. Click the encryption tab
  3. Browse and upload the public certificate
  4. Apply the changes and close the Property's window

See Configuring ADFS for AdaptiveWork single sign-on (SSO) for an example

Automatic Provisioning

Please note that the SSO solutions explained above does not solve the issue of User Provisioning.
You need to handle user synchronization between your identity provider and AdaptiveWork separately.

This can be done either manually, automatically using the AdaptiveWork SOAP & REST web service APIs or using AdaptiveWork’s Active Directory User Sync tool

Signed Request

The SAML request can be signed. Signed requests need to be enabled in AdaptiveWork's federated authentication settings, after enabling the setting the authentication request certificate can be downloaded from the settings screen.

To enable signed requests:
  1. Go to Settings⇒Global Settings
  2. Under Federated Authentication click edit
    The Federated Authentication setup window opens
  3. Open the SSO advanced options
  4. Select the Use HTTP Post Binding option
  5. Select the ​Enable additional request features option

    Once enabled the Download Certificate button is activated
  6. Click the Download Certificate button to can download the authentication request certificate
  7. Click
  8. Upload the certificate in your IDP
    See Configuring ADFS for AdaptiveWork single sign-on as an example

Download Metadata

Once you have completed your setup,defining all of the relevant steps in AdaptiveWork above, download the entire configuration as a Metadata file by Clicking the Download Metadata button.

This file can then be uploaded to the Single Sign On Identity Provider to expedite the AdaptiveWork Single Sign On process.

Please see Configuring ADFS for AdaptiveWork single sign-on for an example of the upload process.

Configuring ADFS for AdaptiveWork single sign-on (SSO)

Configuring ADFS for AdaptiveWork single sign-on (SSO)

AdaptiveWork has the ability to integrate with an identity provider. This integration allows your organization to provision users, provide single sign on solutions and integrate with the Microsoft Active Directory Federation Services (ADFS) 2.0 and 3.0 identity provider.

This document includes:

General ADFS Setup

This procedure uses samportal.example.com as the ADFS Web site.
Replace this with your ADFS Web site address.

  1. Log into the ADFS server and open the management console
  2. Right-click Service and choose Edit Federation Service Properties....
  3. Confirm that the General settings match your DNS entries and certificate names
    Take note of the Federation Service Identifier, since that is used in the AdaptiveWork SAML 2.0 configuration settings
  4. Browse to the certificates and export the Token-Signing certificate​

    1. Right-click the certificate and select View Certificate
    2. Select the Details tab
    3. Click Copy to File….
      The Certificate Export Wizard launches
      Click Next
    4. Ensure that No, do not export the private key is select, and then click Next
    5. Select Base-64 encoded X.509 (.cer)

      Click Next
    6. Select where you want to save the file and give it a name.
      Click Next.
    7. Select Finish
  5. Log into AdaptiveWork and follow the SSO setup instructions to activate SSO in AdaptiveWork and upload the certificate
  6. Set the Sign-in URL in AdaptiveWork based on your preferred ADFS configuration:
    1. For IDP initiated SSO:
      https:// somesite /adfs/ls/idpinitiatedsignon.aspx?logintorp= AdaptiveWork (where the ' somesite ' should be your ADFS external server address and ' AdaptiveWork ' represents the defined identifier)
    2. For SP initiated SSO:
      https:// somesite /adfs/ls/ (where the ' somesite ' should be your ADFS external server address)
  7. Click Save.

Automatic Configuration

To configure ADFS Automatically:

  1. Open the ADFS Management console and select Relying Party Trusts.
  2. Right-click the ‘Relaying Party Trusts’
  3. Select ‘Add Relaying Party Trust..’ menu item

    A wizard will open
  4. Click the ‘Start’ button
  5. Select the 'Import data about the relying party from a file' option
  6. Click 'Browse...' to locate the Metadata file downloaded from AdaptiveWork
    Click 'Next'
  7. In the ‘Display name’ type ‘AdaptiveWork’

    Click ‘Next’
  8. Ensure that Permit all users to access this relying party option is selected

    Click ‘Next’
  9. In the ‘Ready to Add Trust’ step click ‘Next’ without making any changes
  10. Ensure that the checkbox is selected and click ‘Close’ to open the ‘Edit Claim Rules’ dialog
  11. Add claim rules as detailed below

Manual Configuration

To manually configure the ADFS follow the instructions below

Configuration summary

The ADFS should be configured with the following parameters:

Relying Party Identifier
  • Identifier: AdaptiveWork (default)
  • Advanced: Select a hash algorithm. SHA-1 and SHA-2 are supported.
  • Endpoint: POST with relevant URL

Claim Rules should only contain a simple Claims rule:
  • Send LDAP as Claims
  • Claims Rule Name: Name ID
  • Attributes store: Active Directory
  • LDAP Attributes: Email Addresses
  • Outgoing Claim Type: Name ID

ADFS Relying Party Configuration

At this point manually configure the Relying partner:
Open the ADFS Management console and select Relying Party Trusts.

  1. Right-click the 'Relying Party Trusts'
  2. Select 'Add Relying Party Trust..' menu item

    A wizard will open
  3. Click the 'Start' button
  4. Select the 'Enter data about the relying party manually' option

    Click 'Next'
  5. In the 'Display name' type 'AdaptiveWork'

    Click 'Next'
  6. In the 'Choose Profile' step, select the 'ADFS 2.0 profile' option

    Click 'Next'
  7. Skip the 'Configure Certificate' step by clicking the 'Next' button
  8. In the 'Configure URL' step, enter the relevant API endpoint URL
  9. In the 'Configure Identifiers' step, for the 'Relying party trust identifier' enter 'AdaptiveWork' and click on the 'Add' button to the right, so it will be added to the 'Relaying party trust identifiers' list

    Click 'Next' to move to the next step
  10. Ensure that Permit all users to access this relying party option

    Click 'Next'
  11. In the 'Ready to Add Trust' step click 'Next' without making any changes
  12. Ensure that the checkbox is selected and click 'Close' to open the 'Edit Claim Rules' dialog
  13. Add claim rules as detailed below

Enable SAML Assertion Encryption

To enable authentication encryption, activate the authentication in AdaptiveWork as explained here, then complete the following steps:

  1. From the main window, select AdaptiveWork and click on the 'Properties' link on the right side:
  2. Click the 'Encryption' tab
  3. Click Browse and select the Public certificate file (cer file)
  4. Click 'Apply' to confirm your selection and 'OK' to close the dialog

Enable Signed Request

The SAML request can be signed. Signed requests need to be enabled in AdaptiveWork's Federated Authentication settings, after enabling the setting the authentication request certificate can be downloaded from the settings screen.

To enable signed requests:

  1. Open AdaptiveWork's relying party identifier in ADFS
  2. Click the 'Signature' tab
  3. Click 'Add...' to upload the signature certificate downloaded from AdaptiveWork
  4. Click 'Apply' to confirm your selection and 'OK' to close the dialog

Add Claim rules

Define the relevant Claim rules, for the default claim rules settings please see claim rules configuration summary.

  1. In the 'Edit Claim Rules' dialog, click on the 'Add Rule...' button
  2. Ensure that the 'Send LDAP Attributes as Claims' is selected from the options in the 'Claim rule template' list

    Click 'Next'
  3. In the 'Claim rule name' input, enter 'NameID'
  4. From the 'Attribute store' select the 'Active Directory' option
  5. For the 'LDAP Attribute' select the attribute you would like to use for authentication ('E-Mail-Address' for instance) and for the 'Outgoing Claim Type' select the 'Name ID' value
  6. Click 'Finish' and 'OK' to close this dialog
  7. From the main window, select the new claim and click on the 'Properties' link on the right side:
  8. Click the 'Advanced' tab
  9. Select a hash algorithm from the list. SHA-1 and SHA-2 are supported.
  10. Click 'Apply' to confirm your selection and 'OK' to close the dialog

Configuring OneLogin

User Management Configuration via OneLogin (LDAP Integration)

This page is intended for AdaptiveWork Admin users setting up SSO capabilities and includes the following sections:

About Automatic User Management Option

The Automatic User Management option is configured in OneLogin solution.
OneLogin uses AdaptiveWork's API to provision, update, suspend and delete users according to the changes in its users' repository
and the configuration set by the administrator.

202020507_onelogin_schematic.png

Figure 1: Automatic User Management Diagram

Configuration

The following steps are used to automatically configure OneLogin to provision users to AdaptiveWork :

Configuration Steps

  1. To begin the process, you are required to have a OneLogin account in place. It is recommended to add and configure your
    organization's LDAP connector to OneLogin in order to create the users identities repository inOneLogin automatically, and
    to use the corp-net authentication as the single-sign-on authentication.
    To learn more about creating a OneLogin account and configuring your LDAP connector, please visit the OneLogin web site .
  2. Create a new role that defines your OneLogin users who need to be connected to AdaptiveWork to the AdaptiveWork agent in OneLogin.
    You can create this role by navigating to People → Roles → New Role .
  3. Navigate to Apps → Find app tab in OneLogin and search for the 'AdaptiveWork' application.
  4. Click the Add link in order to add it to your list of applications in OneLogin.
  5. Click continue to be able to edit the application data.
  6. The authentication tab should appear as follows:

202020517_onelogin_config1_authentication.png

​Figure 2: Authentication Tab

You do not need to change any of the basic default settings apart from one exception; you might want to change the
'Send Invitation Email setting'.

This checkbox defines whether or not AdaptiveWork users receive an invitation email from AdaptiveWork when automatically provisioned
by OneLogin .

Note: Two additional fields might appear here. The following table contains the field values to apply:
Field
Value
Customer URL
WSDL Document URL
  1. Click the API tab and set your organization's administrator credentials ( AdaptiveWork Admin credentials used for provisioning
    operations). These credentials are used to identify the AdaptiveWork organization to which you provision your users.

    T he AdaptiveWork agent provisioning process can be connected or disconnected o n the same tab .

    After clicking Connect , the Provisioning tab becomes available.

202063798_onelogin_config2_api.png

Figure 3: API Tab

  1. Click the Provisioning tab to configure the provisioning preferences.

202020527_onelogin_config3_provisioning.png

Figure 4: Provisioning Tab

The setting Manually approve defines which of the management actions is approvable by the administrator and which actions occur
automatically. Approve or revoke of actions are achieved by navigating to People → Provisioning → Provisioning Tasks within
OneLogin.

The setting Deprovisioning action defines what action to take within AdaptiveWork on de-provisioning events.

A de-provisioning event may happen when a user is deleted from OneLogin, removed from a AdaptiveWork- assigned role, or if AdaptiveWork
is removed from OneLogin altogether.

Action options when a de-provisioning event occurs are to either change the user's state to 'Deleted' within AdaptiveWork, change the user's
state to 'Suspended' within AdaptiveWork, or to do nothing.

  1. Click the Access Control tab, and select the role that you created in Step 2 of the Configuration steps .

202020537_onelogin_config4_ac.png

Figure 5: Access Control Tab

Seeing it Work

Navigate to People → Users and manually add people to your AdaptiveWork role, or create a mapping via People → Mappings that sets
this role automatically for your users according to filters set by you.


Users that have the AdaptiveWork role are automatically added to the Login tab in the AdaptiveWork application configuration.
They are processed automatically or pending authorization, depending on your OneLogin 'Manual Approve' settings.

You can view and authorize provisioning processes via People → Provisioning and see the results in the People module in AdaptiveWork .

202063808_onelogin_config5_logins.png

Figure 6: Logins Tab

Configuring Azure Active Directory

To see a guide on configuring Azure Active Directory, click here.

Configuring OKTA

To see a guide on configuring OKTA, click here.