Use SSO with ProjectPlace

Service Initiated SSO

The user experience when using Service Initiated SSO is very similar to when using a username and password. The user will go to the login page to login. When the user enters their username, ProjectPlace will identify that the user is supposed to authenticate using SSO and will redirect the user to the configured IdP. After successful authentication with the IdP, the user will be transferred back to ProjectPlace and logged in.

Identity Provider Initiated SSO

Most SAML Identity Providers offer a portal where users can access the apps that are available to them from a dashboard. The process of logging in to ProjectPlace this way differs from IdP to IdP; generally, users begin by going to the IdP and logging in with their user credentials. After successful authentication, the user will be presented with a list of available apps. After selecting ProjectPlace, the user will be sent to ProjectPlace and logged in.

SAML Identity Provider

ProjectPlace supports Single-Sign-On (SSO) through the SAML 2.0 protocol. To enable SSO, your organization needs to have a SAML identity provider (IdP). Some examples of SAML identity providers are:

• Microsoft Active Directory Federation Service (ADFS)
• Microsoft Azure Active Directory
• Okta
• OneLogin
• PingOne Ping Identity

Install ProjectPlace SAML Metadata

Before requesting activation from ProjectPlace, install ProjectPlace’s SAML metadata in your IdP.

• Login URL: https://service.projectplace.com/saml/login
• SP Entity ID: https://service.projectplace.com/saml/metadata.xml

Request Activation

To request activation, the ProjectPlace account owner must open a new case with Planview Customer Care, either through the Customer Care Community or email. In your request, make sure to include the following information:

• SAML Metadata URL: Your request must include a URL to the SAML metadata for your organization in the case. ProjectPlace will update the SAML configuration for your account daily, making certificate updates seamless. If your IdP does not expose the metadata through a URL, attach the metadata as a static XML file. In this case, you need to open a new case with Planview Customer Care every time the signing certificates need to be updated.
• Enforced SSO Disablement: When SSO is enabled for a ProjectPlace account, all users must use the configured IdP for authentication. Logging in using a username and password is no longer allowed for users that belong to the account. However, there might be cases when this does not work for your organization; for example, when there are users that belong to the account but do not exist in the IdP. For this purpose, enforced SSO can be disabled in ProjectPlace. If this is the case for your organization, make sure to mention it when requesting activation for your account.
• SSO Test Users: ProjectPlace supports a roll out SSO for a subset of the users on your account, in order to validate that the SSO integration is working properly. When requesting to have SSO activated, please include the username of one or a few test users that should have SSO enabled before it’s made available to all users. The activation for all users won’t happen until it’s confirmed that SSO is working correctly.

Required SAML Claims

To authenticate a user, ProjectPlace requires three SAML claims: NameID, firstname, and lastname. The NameID attribute must be in email address format and be a unique address identifying the user. It must be possible for ProjectPlace to send email notifications to the address specified in the NameID. In case the NameID attribute can't be configured in such a way in your IdP, the field can be overridden by providing the emailaddress attribute. If the attribute emailaddress is provided, ProjectPlace will take the user email from that field and not consider the NameID attribute. If the emailattribute is used, the same conditions (email format, uniqueness, working mailbox) applies to that field as normally does for the NameID field. The firstname and lastname claims should contain the first and last name of the user.

If you want to send SAML Claims with a different attribute name, a custom attribute mapping between your IdP and ProjectPlace can be configured. If so, please include the attribute names that your IdP will use in the submitted case when requesting to have SSO configured for your ProjectPlace account.

In addition to the required claims, ProjectPlace does support several optional claims to populate a user’s profile; see the Supported SAML Claims section for more details.

All configured SAML claims are updated every time that a user is logged in to ProjectPlace. Say for example that a user has their last name changed in the IdP, then the last name in their ProjectPlace user profile will be updated the next time they log in to ProjectPlace. The exception to this is the NameID and emailaddress claims since they are used to identify the user. If the NameID (or emailaddress field if present) is changed, the user will appear as a new user to ProjectPlace and a new user account will be created.

SAML Claim Mapping

It’s possible to configure a custom mapping between any SAML claims sent from the IdP to ProjectPlace.

Please indicate which SAML claims ProjectPlace should expect and whether your IdP will use the default attribute names used by ProjectPlace (“firstname”, “lastname”, etc), the default attribute names used by the IdP software, or if it will use custom attribute names.

Supported SAML Claims

The following is the complete list of SAML Claims that are supported by ProjectPlace for populating values in a user’s profile.