;

Skip to main content

 

  • arrow icon

 

Planview Customer Success Center

Administrator Setup - 3.Enabling SSO with PV Admin

Overview

Planview Admin allows federated authentication through its in-product Planview Admin SSO capability. This enables users to log in to AdaptiveWork in multiple ways:

  • From the AdaptiveWork login page via Federated Authentication
  • Directly from Planview Admin by clicking the AdaptiveWork tile
  • From your organization's IdP (Okta, Azure AD, etc.)

Planview Admin becomes the centralized Identity Provider (IdP), providing a unified access and authentication mechanism across different Planview products and services. This simplifies administration and provides consistent security policies across your Planview deployment.

Prerequisites for Enabling Planview Admin Authentication

CRITICAL: Do not skip these steps. Enabling Planview Admin authentication without completing these prerequisites will result in user lockouts.

Prerequisite 1: Configure Your Identity Provider to Work with Planview Admin

Prerequisite 1 applies only to organizations that use SSO with Planview Admin. If your organization does not use SSO, you can skip this prerequisite.

Planview Admin will act as the centralized authentication broker between AdaptiveWork and your organization's Identity Provider. Your IdP must be configured to work with Planview Admin before you enable SSO in Planview Admin.

What this means: Your IT department will configure your IdP (Okta, Azure AD, Microsoft Entra ID, ADFS, etc.) to recognize Planview Admin as a trusted application. Once complete, Planview Admin becomes the authentication provider that AdaptiveWork connects to.

Steps (Performed by Your IT/SSO Department in Your IdP):

  1. Access Planview Admin's Service Provider (SP) Metadata:
    • Navigate to Planview Admin > Settings > Single Sign-On > IT Configuration
    • Copy the SP metadata (you can use the Copy all button or Mail to link button to send it to your IT department)clipboard_e40328d282ffb683f8b75f3f18a529dcc.png
  2. Configure Your IdP:
  3. Configure your IdP's Reply URL (ACS URL) — add the appropriate URL for your region:
    • US: https://us.id.planview.com/api/loginsso/callback
    • EU: https://eu.id.planview.com/api/loginsso/callback
    • APAC: https://ap.id.planview.com/api/loginsso/callback
  4. Obtain your IdP's SAML metadata — your IT department should provide either a metadata URL (recommended) or an XML metadata file.
  5. Verify SSO is configured and working in PV Admin — SSO must be fully configured and tested in PV Admin before enabling it for this integration. See: [Configure SSO in Planview Admin].

Prerequisite 2: Activate Users in Planview Admin

When AdaptiveWork is added as a product in Planview Admin, users are automatically synced from AdaptiveWork in a "pending" status. These pending users cannot authenticate to Planview Admin because they have not been activated.

Once you enable Planview Admin authentication in AdaptiveWork (the steps below), all user login attempts will be redirected to Planview Admin. If users are still in "pending" status, they will be unable to authenticate, resulting in a complete system lockout.

Activation Instructions:

Refer to the official Planview Admin documentation on Managing Users for complete step-by-step instructions on activating users.

The official documentation covers:

  • How to navigate to the Users screen in Planview Admin
  • How to identify and select users in "Pending" status
  • How to activate users in Planview Admin
  • How to configure users for SSO vs. password authentication
  • Special scenarios for service accounts and break-glass access

There is a notification settings page in our help that calls out what happens in this scenario depending on how the notifications are set.  

  1. If the customer is NOT SSO and the notification settings are configured OFF (Default setting) then no notification is sent to the users on product connection and user sync.  In this case you would have to do a bulk resend invitation to all users in PV Admin for that Org so they could get the welcome email.  

  2. If the customer is NOT SSO and the notification settings are configured ON then a notification IS sent to the users on product connection and user sync.  In this case all users would get the welcome email on sync and they would not need an administrator to do a bulk resend notification. 

General Guidance:

  • Regular users: Should be activated for SSO authentication (they will authenticate through your configured IdP)
  • Service accounts and break-glass access: May require password-based activation depending on your organization's security policies
  • Testing: Test activation with at least one sample user to ensure they can successfully log into Planview Admin before enabling the feature for AdaptiveWork
  • Verification: Have the sample user log into Planview Admin and confirm they are successfully authenticated through your IdP

If you have difficulty activating users: Contact Planview Support and reference this prerequisite. User activation is a critical step to prevent lockouts, and support can guide you through the process for your specific setup.

 

Prerequisite 3: Verify Everything is Ready Before Proceeding

Do not enable Planview Admin authentication in AdaptiveWork until you have verified ALL of the following:

  • ✅ Your IdP is properly configured in Planview Admin's SSO settings
  • ✅ You can successfully log into Planview Admin via SSO (tested with both admin and non-admin users)
  • ✅ All regular users are activated in Planview Admin (status shows "Active", not "Pending")
  • ✅ Service/break-glass accounts (if any) are activated with password authentication

If any of these are not complete, enabling Planview Admin authentication will cause user lockouts with the error: "AdaptiveWork could not verify SSO signature and could not log you in."

PV Admin allows the Federated Authentication through it's in-product PV Admin SSO capability.

This allows users to not only log in to AdaptiveWork through the traditional log in page, but alternatively directly from PV Admin and therefore providing a centralized access & authentication mechanism across different Planview products and services.

To enable PV Admin SSO, the respective Administrator shall follow the steps below:

In Planview Admin

1. In PV Admin, select the Products tab > in the Planview AdaptiveWork tile:

  • click 3 dots next to Manage Product > Select Enable Planview Admin authentication:                                                                                 clipboard_ee362739b7cf66428ebc83cb7d755ca6f.png

OR

  • click Manage product:

clipboard_efd56e03a1364a4aeb0a57df67a5f3759.png

  • Click Enable Planview Admin authentication in the upper right corner:

clipboard_ee1d9544680ecbaac7e4ecdfac8df1aa7.png

2. Select Yes when prompted with the Enable Planview Admin authentication pop-up:

clipboard_e60283ad630f5bdad396ce66dec0b7226.png

3. You are notified that Planview Admin authentication is now enabled:

clipboard_e0a79cec0dfb40a9bf2a69a8b13978558.png

4. PV Admin indicates the new status in the upper right corner:

clipboard_e19cbee8b32e25d0bf017483a1e7d3db8.png

 

In AdaptiveWork

Enabling Planview Admin authentication has now made the following updates in AdaptiveWork Settings > Global Settings > Federated Authentication pop-up:

5. the Enable Federated Authentication checkbox is checked

6. the Enable PV Admin SSO/SAML is enabled

clipboard_ee8fe62660bf41ea58e2ffc96b27a4f9c.png

7. the following parameters are automatically populated:

  • Certificate*
  • Sign-in URL*
  • Sign-out URL*
  • Relaying Party Identifier*
  • Enable Password authentication (set to Everyone (internal and external)
  • Enable API access (checked)
  • Unauthenticated User URL redirect (unchecked)
  • Enable Request Access (unchecked)
  • Requester Access Profile (blank)
  • Authentication Context (checked)*
  • Name ID Format (set to SAML:1.1 Unspecified)*
  • Assertion Decryption Certificate (set to Disabled)*
  • Use POST (unchecked)*
  • Support IDP Initiated RelayState (unchecked)*
  • Advanced Verification (checked)*
  • Advanced Request (unchecked)*

 

* locked for editing (only updateable via API)

clipboard_e3e649146414b63aca56e3e7824527498.png

 

With the successful Planview Admin Authentication (SSO), users can now log in to AdaptiveWork in the following 2 ways:

  • from the AdaptiveWork login screen > Connect via Federated Authentication   

clipboard_eead733dd70d6d2a24ee4a2a2743ef5dc.png

  • via Planview Admin, by clicking the AdaptiveWork tile in the Overview tab

clipboard_e0551ff354515952242501bb6676a631b.png