To use Single Sign On (SSO) functionality for your organization, you must first configure your SSO provider to work with Planview Admin before enabling SSO in Planview Admin. If your organization uses Microsoft Active Directory Federation Services (ADFS) for example as your SSO provider, you must perform the steps in set up SSO for ADFS.
Here are answers to some frequently asked questions about the SAML configuration of Planview Admin.
Planview Admin supports both IDP- and SP-initiated authentication.
Planview Admin supports the SAML 2.0 protocol.
Planview Admin supports the formats:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
No additional attributes are required by default. If an IDP wants to use a different attribute other than NameID to specify the email address of the user, they can configure which attribute Planview Admin will assess in the assertion in Settings > Single Sign On Configuration > Show Advanced Configuration > SAML Username Attribute (Optional).
If your IDP does not use email addresses to identify users, you can configure Planview Admin to match on a login alias. Different organizations can refer to a login alias by different terms such as NetworkID. To configure Planview Admin to use login aliases, go to Settings > Single Sign On Configuration > Show Advanced Configuration > SAML NameID Lookup Type and select Login alias. If Planview Admin is configured to use login aliases, the users in Planview Admin must still have valid email addresses to use features such as OKRs.
The SP metadata is published to /api/saml/sp-meta.xml in the appropriate environment.
Yes, the X509 certificate is required in Signature/KeyInfo/X509Data to validate the signature of the response.
Please refer to the SP metadata to determine the supported binding methods in the Assertion Consumer Service (ACS).
No.
Yes. Planview Admin validates all signatures provided in the SAML response.
Currently 9 hours of inactivity between requests. it's important to understand the relationship between Planview Admin and the underlying products and exactly what a "session" means when thinking about this.
Once a user authenticates with Planview Admin and is sent to the end application (AgilePlace, Portfolios, PPM Pro, and ProjectPlace), they have a session with Planview Admin but activity within the end application does not go through Planview Admin in any way and therefore does not "refresh" this session. Only further authentication requests (such as clicking a link to ProjectPlace from PPM Pro) will refresh the session.
MFA is not directly supported. Our recommended best practice is to configure SAML/SSO and set up MFA on your SAML IDP.
You can download the Planview Admin logo file here.
If your organization already uses SSO, your SSO provider must be configured to work with Planview Admin before you enable SSO in Planview Admin.
To configure your SSO provider to work with Planview Admin:
NOTES
To enable SSO in Planview Admin:
NOTE
Contact your IT department to determine which option they would prefer to use.
SSO is activated immediately in Planview Admin. If no products are activated yet then authentication will still go through it's normal process within the underlying products until Planview ID is turned on.
This document provides instruction on how to set up an application in Azure that can communicate with Planview Admin via SAML.
On the left navigation pane, select the Azure Active Directory service.
Navigate to Enterprise Applications and then select All Applications.
To add new application, select New application.
In the Add from the gallery section, type Planview Admin in the search box.
Select Planview Admin from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
In the Azure portal, on the Planview Admin application integration page, find the Manage section and select single sign-on.
On the Select a single sign-on method page, select SAML.
On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
On the Basic SAML Configuration section, perform the following step:
In the Identifier (Entity ID), enter your EntityID from the Planview Admin Settings page.
In the Reply URL textbox, type a URL using the following pattern: https://<Region>.id.planview.com/api/loginsso/callback
On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy button to copy App Federation Metadata Url and save it on your computer.
You can now go to Enabling SSO in Planview Admin to finish the remaining steps to activate SSO.
If your organization uses Microsoft Active Directory Federation Services (ADFS) as your SSO provider, you must perform the following steps when setting up SSO within Planview Admin.
Planview Admin requires the Planview Admin email address to be sent in the Planview Admin namefield of the SAML Subject. This process assumes you are using the email address LDAP attribute as your Planview Admin username and configures ADFS to send it as the NameId.
To set up SSO for Microsoft ADFS:
Get LDAP Attributes
.The incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1). The Outgoing claim type is Name ID and the Outgoing name ID format is Email. Pass through all claim values and click Finish.
Rule #1:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),
query = ";mail;{0}", param = c.Value);
Rule #2:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
If your organization uses Okta as your SSO provider, you must perform the following steps when setting up SSO within Planview Admin.
NOTE
Using the SAML metadata URL is recommended because signing certificates can be updated without having to update Planview Admin. However, you can use the entire SAML XML metadata instead (see below).
Follow this procedure to set up an application in OneLogin that can communicate with Planview Admin via SAML.
NOTE
Using the SAML metadata URL is recommended because signing certificates can be updated without having to update Planview Admin. However, you can use the entire SAML XML metadata instead (see below).