Skip to main content

 

Planview Customer Success Center

Single Sign-On (SSO) Settings for Platform Admin

What Configuration Steps Do I Need to Take to Use SSO with Platform Admin?

To use Single Sign On (SSO) functionality for your organization, you must first configure your SSO provider to work with Platform Admin before enabling SSO in Platform Admin. If your organization uses Microsoft Active Directory Federation Services (ADFS) as your SSO provider, you must perform the steps in set up SSO for ADFS.

           

Configuring Your SSO Provider to Work with Platform Admin

If your organization already uses SSO, your SSO provider must be configured to work with Platform Admin before you enable SSO in Platform Admin. Contact a resource in the department responsible for SSO management in your organization (such as the IT department) to perform the following procedure and receive the IDP metadata.

To configure your SSO provider to work with Platform Admin:

  1. In your SSO provider, set up a new application against the Planview ID IDP metadata located at one of the following locations:
  2. In the Reply URL field in the IDP configuration (sometimes called Assertion Consumer Service URL), add the appropriate value from the following list:
  3. Enable SSO in Platform Admin.

           

           

Enabling SSO in Platform Admin

           

NOTES

  • If your organization already uses SSO, you must first configure your SSO provider to work with Platform Admin before enabling SSO in Platform Admin.
  • Before enabling SSO in Platform Admin, Planview recommends that you have already added at least two administrators to Platform Admin and configured at least one administrator to sign in with an email address and password. This ensures that you have an administrator who can sign in if there are any initial SSO issues.

           

To enable SSO in Platform Admin:

  1. Click the Settings tab.
  2. Click Enable Single Sign On.
  3. Click one of the following options:

               

    NOTE

    Contact your IT department to determine which option they would prefer to use.

               

    • Enter the URL to download SAML metadata: If a URL is provided, the metadata will be refreshed every 24 hours.
    • Enter SAML metadata XML manually: After saving the configuration, the metadata XML is downloaded from the URL and used to connect to the IDP.
  4. (Optional) Click Show Advanced Configuration and enter a name in the SAML Username Attribute (Optional) box.
  5. (Optional) To add additional SAML attributes, click Add Attribute and set the name, name format, friendly name, and whether the attribute is required.
  6. Click Save.

    SSO is activated immediately.

           

           

Setting up SSO for Microsoft Azure AD

This document provides instruction on how to set up an application in Azure that can communicate with Planview ID via SAML.

  1. On the left navigation pane, select the Azure Active Directory service.

  2. Navigate to Enterprise Applications and then select All Applications.

  3. To add new application, select New application.

  4. In the Add from the gallery section, type Planview ID in the search box.

  5. Select Planview ID from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

  6. In the Azure portal, on the Planview ID application integration page, find the Manage section and select single sign-on.

  7. On the Select a single sign-on method page, select SAML.

  8. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

  9. image-20220718-221555.png

  10. On the Basic SAML Configuration section, perform the following step:

    In the Reply URL textbox, type a URL using the following pattern: https://<Region>.id.planview.com/api/loginsso/callback

  11. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy button to copy App Federation Metadata Url and save it on your computer.

  12. image-20220718-221700.png

  13. You can now go to “Enabling SSO in Platform Admin” to finish the remaining steps to activate SSO.

           

           

Setting up SSO for Microsoft ADFS

If your organization uses Microsoft Active Directory Federation Services (ADFS) as your SSO provider, you must perform the following steps when setting up SSO within Planview Admin.

ADFS Replying Party Claim Rules

Platform Admin requires the Planview ID email address to be sent in the Planview ID namefield of the SAML Subject. This process assumes you are using the email address LDAP attribute as your Planview ID username and configures ADFS to send it as the NameId.

To set up SSO for Microsoft ADFS:

  1. Right-click Relying Party and select Edit Claim Rules.
  2. On the Issuance Transform Rules tab, select Add Rules.
  3. Select Send LDAP Attribute as Claims as the claim rule template to use.
  4. Give the Claim a name such as Get LDAP Attributes.
  5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to Name ID.
  6. Click Finish.
  7. Click Add Rule.
  8. Click Transform an Incoming Claim as the claim rule template to use.
  9. Enter a name such as Email to Name ID.

    The incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1). The Outgoing claim type is Name ID and the Outgoing name ID format is Email. Pass through all claim values and click Finish.

  10. If you edit the existing rule and click View Rule Language, they should match the following examples:

    Rule #1:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

    => issue(store = "Active Directory",

    types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),

    query = ";mail;{0}", param = c.Value);

    Rule #2:

    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

    Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,

    Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]

    = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

           

           

Setting up SSO for Okta

If your organization uses Okta as your SSO provider, you must perform the following steps when setting up SSO within Planview Admin.

  1. In Okta, in the left pane, click Applications, and then in the main pane, click Browse App Catalog.
  2. Search for and then select Planview ID.
    BrowseAppIntegrationCatalog.png
  3. In the Planview ID view, click Add Integration.
    AddIntegration.png
  4. In the General settings: Required section, you can leave the settings as is or edit them, and then click Done. The application is created.
    GeneralSettings.png
  5. In the Sign On section, select Edit and update the Regulatory region in accordance to what your Planview Admin organization is setup for. (US, EU, APAC)
  6. Locate and copy the SAML metadata URL:
    1. In the Sign On section click View SAML setup instructions.
    2. Copy the URL, which is to be pasted into the Platform Admin Settings page.
      SAMLSigningCerts.png

                 

      NOTE

      Using the SAML metadata URL is recommended because signing certificates can be updated without having to update Platform Admin. However, you can use the entire SAML XML metadata instead (see below).

                 

  7. To use the SAML XML metadata instead of the SAML metadata URL:
    1. In the SAML Signing Certificates section, click Actions > View IdP metadata.
    2. Copy the metadata, which is to be pasted into the Platform Admin Settings page.
  8. Enable SSO in Platform Admin.

           

           

Setting up SSO for OneLogin

Follow this procedure to set up an application in OneLogin that can communicate with Planview ID via SAML.

  1. In the top bar in OneLogin, click Administration.
  2. In the menu bar, click Applications > Applications.
  3. Click the Add App button.
  4. Search for and then select SAML Custom Connector (Advanced).
  5. Enter a name and description for the application, and then click Save.
  6. In the left pane, click Configuration
  7. Complete the following fields:
    1. Audience (EntityID): https://id.planview.com
    2. ACS (Consumer) URL Validator*: .*
    3. ACS (Consumer) URL*: Enter the URL based on your location as per Configuring Your SSO Provider to Work with Platform Admin, above.
  8. Click Save.
  9. Locate and copy the SAML metadata URL:
    1. In the SSO section copy the Issuer URL which is pasted into the Platform Admin Settings page.Screen Shot 2022-06-28 at 11.28.52 AM.png

                 

      NOTE

      Using the SAML metadata URL is recommended because signing certificates can be updated without having to update Platform Admin. However, you can use the entire SAML XML metadata instead (see below).

                 

  10. To use the SAML XML metadata instead of the SAML metadata URL:
  11. Click More Actions > SAML Metadata. Save the XML file, which you will use for the following step.
  12. Enable SSO in Platform Admin.