User authentication and Identity Providers

IPS Server can do direct authentication of 'Local' type users, where the password is stored in the PlanningSpace tenant database. (See Tenant users and administrators.)

For authentication that is integrated with Windows Active Directory, the user account type 'SAML2' is provided. These user accounts are authenticated by a claims-based (OAuth2) authentication process, where a token is generated by an independent Identity Provider (IdP) server.

This topic section explains the types of Identity Provider architecture which are supported for PlanningSpace, and the basic installation details can be found in the topic section Identity Provider (IdP) setup.

Important: IdP-based authentication replaces the Windows NTLM-based authentication used in previous versions of PlanningSpace. Although the 'Windows Active Directory' account type is offered for purposes of compatibility, authentication in that case does not use client-side authentication - it involves the 'DOMAIN\username' and password credentials being passed in explicit form between client and server, with authentication performed by the IPS Server against Windows Active Directory.

IdP-based authentication simplifies the login process for users because the token can be used to consume different services via the PlanningSpace application client, web browser or OData API endpoints. Additionally, SSO (Single Sign-on) can be set up for seamless login across different services.

Using IdP-based authentication, companies can easily federate with Aucerna’s cloud-hosted PlanningSpace service, and have their data managed by Aucerna. Contact sales@aucerna.com for details of these services.

The IdP is configured independently for each PlanningSpace tenant. See Identity Provider (IdP) setup for a guide to configuring an IdP server or service, and the tenant configuration.

The token issued by the IdP has a set lifetime which applies to all users (including tenant Administrators) and all API requests. The lifetime is set for each tenant by the IPS Administrator, using the 'Token lifetime' setting in the IPS Manager user interface (or it can be set using the Admin API or IPS PowerShell module (Automation cmdlets)). For reasons of protecting the PlanningSpace service from unauthorized use, the token lifetime is set relatively short: 15 minutes (i.e. 900 seconds) is the default.

Important: If you are upgrading a PlanningSpace deployment from version 16.3 to 16.4, every 'Windows' user account in the tenant database will be automatically converted to a 16.4 'Windows Active Directory' user account. For use with IdP-based authentication, each account requires to be edited to have user type 'SAML2' and the username must be converted to a UPN-format username (i.e. in the form first.lastname@domain.mycompany.com). 

It is possible to do bulk import of new Windows user account information into a PlanningSpace tenant, using the 'Import from CSV' function. For more information see Tenant users and administrators.