Skip to main content
Planview Customer Success Center

Install SSO using SAML for Azure Active Directory implementations (HTTPS required)

Pre-installation steps for SSO

Before you begin, you must perform the Pre-installation steps for Single sign-on (SSO).

Collect configuration parameters

Ensure that the SAML_Identity_Provider is in the Intranet zone of the end user's browser.

Determine the values for the configuration parameters in the following table.

Parameter

Description

Enterprise_URI

The domain identifier that you use for Changepoint, for example:

https://changepoint.abc.corp

Enterprise_Path

The location of the web application files. Default:

<cp_root>\Enterprise\

ReportDesigner_URI

The domain identifier that you use for Report Designer, e.g.:

https://reportdesigner.abc.corp

ReportDesigner_Path

The location of the Report Designer web application files.

Default: <cp_root>\ReportDesigner\

Changepoint_RSA_
Cookie_Transform

The name of the certificate that you use for Cookie encryption. Default:

"CN=ChangepointCookieCertificate"

Enterprise_Signing
Certificate_Name

The name of the certificate that you use for signing messages. Default:

"CN=ChangepointSigningCertificate"

Enterprise_Signing
Certificate_Thumbprint

The thumbprint of the certificate that you use for signing messages. Default:

"78794E4FF1BB0F5D9A53DC7B8C0B799A1FBC1BB5"

SAML_Identity_Provider

The SAML Identity Provider URI, which is the SAML sign-on endpoint, for example:
https://login.microsoftonline.com/bf...8e1fff06/saml2

To determine the endpoint, see "Determine the SAML sign-on endpoint" on page 1.

Ensure that the SAML_Identity_Provider is in the Intranet zone of the end user's browser.

SAML_Identity_Provider_Type

The type of the SAML Identity Provider:

No binding.

SAML_Issuer

The SAML Issuer required by the IDP

Leave blank.

SAML_Identity_Provider_Signing_Key

This is the SAML Identity Provider Signing Key required by the IDP.

Leave blank.

ClaimType

Enter the SSO Claim Type. Default:

upn

Create application

  1. In IIS, under Enterprise, convert the RP-STS_SAML folder to an application:
    • Alias name: RP-STS_SAML
    • Physical path: \<cp_root>\Enterprise\RP-STS_SAML
    • Authentication: Anonymous and Forms Authentication
    • Application pool: Application Pool
  2. Add Default.aspx to the Default Documents for the application.

Create relying party trust

  1. Log in to the Microsoft Azure management portal at https://portal.azure.com with sufficient permissions.
  2. In the left pane, click Azure Active Directory.
  3. In the Active Directory left pane, click Enterprise applications.
  4. In the main work area, click New application > Non-gallery application.
  5. In the Add your own application section, enter the new application name [YourAppName] and then click Add.
  6. In the Active Directory left pane, click Single Sign-On.
  7. In the Select a single sign-on method, select SAML.
  8. On the Set up single sign-on with SAML section, click to use the "old experience" view, and then complete the following fields:
    1. Identifier (EntityID) - should uniquely identify the application for which single sign-on is being configured, such as https://[YourAppName]/RP-STS_SAML/
    2. Reply URL (Assertion Consumer Service URL): The reply URL is where the application expects to receive the SAML token. This is also referred to as the Assertion Consumer Service (ACS) URL.

      https://[YourAppName]/RP-STS_SAML/SAML/AssertionConsumerService.aspx

      Note: You must include the end slash.

    3. Select the Show advanced URL settings check box.
    4. Sign on URL: Where the user goes to sign-in to this application

      https://[YourAppName]/

    5. Relay State: [leave it blank]
    6. (In section 3 User Attributes) User Identifier: leave the default value as: user.userprincipalname
    7. Click Save.
  9. In the Active Directory left pane, click Users and Groups:
    1. Add the users who require access to the application.
    2. Click Select.
    3. Click Assign.

Determine the SAML sign-on endpoint

  1. Log in to the Microsoft Azure management portal at https://portal.azure.com with sufficient permissions
  2. In the left pane, click Azure Active Directory.
  3. In the Active Directory left pane, click Enterprise applications.
  4. Search for the application [YourAppName] that you just created, and click it.
  5. In the Active Directory left pane, click Single sign-on.
  6. In the Single Sign-on with SAML section, click the "Try our new experience" link.
  7. In the Step 4 Set up "YourAppName" section, note the value for Login URL. This URL is the value to be used for SAML_Identity_Provider required above.

Execute configuration script

Using the information collected in the table above to modify the configuration of the websites.

  1. Open a PowerShell prompt.

    Note: If the server has User Account Control enabled, you must open the PowerShell prompt using elevated administrator permissions.

  2. Navigate to the configuration directory, default:

    <cp_common>\Configuration\Enterprise

  3. Execute:

    ./Configuration_SSO_SAML.ps1

  4. Follow the prompts.