PlanningSpace tenant IdP configuration
PAGE CONTENTS
This topic shows the settings required for the 'Identity Provider' setting for a PlanningSpace tenant, in the 'Tenants' screen of IPS Manager. Typical settings are shown for the different types of IdP.
Each tenant has an independent setting for the Identity Provider (IdP). Click the 'Configure' button to open the dialog named 'Configure SAML2'.
You will need a token (SAML) signing certificate obtained from the IdP server or service.
Import or Export metadata
Only for version 16.4 Update 1 and later: The import/export functions are not available in the initial release of 16.4 (version 16.4.0).
These functions can be accessed using the buttons in the tenant configuration dialog (see screenshot below), and simplify the IdP setup process by replacing manual typing. Use 'Export metadata' to get the service provider data (as an XML file) which needs to be loaded into your IdP server or service. Use 'Import metadata' to upload to the IPS Server the IdP settings provided as an XML file by your IdP server or service.
Configuration of PlanningSpace 'SAML2' user accounts
Every PlanningSpace user that is based on a Windows AD user account needs to have a tenant user account of type 'SAML2'.
Important: If you are upgrading a PlanningSpace deployment from version 16.3 to 16.4, every 'Windows' user account in the tenant database will be automatically converted to a 16.4 'Windows Active Directory' user account. For use with IdP-based authentication, each account requires to be edited to have user type 'SAML2' and the username must be converted to a UPN-format username (i.e. in the form first.lastname@domain.mycompany.com).
Also, it is possible to do bulk import of new Windows user account information into a PlanningSpace tenant, using the 'Import from CSV' function. For more information see Tenant users and administrators.
Configuration for an ADFS IdP
The table shows the standard settings for ADFS.
| Setting | Description |
|---|---|
| Provider name | An arbitrary friendly name for the IdP, e.g. 'ADFS' |
| Provider URL | https://ADFS.domain/adfs/services/trust |
| ACS binding | 'POST' (default setting) |
| Single sign on URL | https://ADFS.domain/adfs/ls/ |
| Single sign on binding | 'Redirect' (default setting) |
| Single logout URL | https://ADFS.domain/adfs/ls/?wa=wsignout1.0 |
| Single logout binding | 'Redirect' (default setting) |
| Username claim | Choose 'UPN' from the dropdown menu |
| Clock skew | Number of minutes time difference allowed between the IdP and IPS machine clocks ( default 3 minutes, range 1 to 60 minutes) |
| Reject unsigned assertion | Enabled (default setting) |
| Certificate | Upload the token signing certificate exported from the ADFS IdP server, in Base 64-Encoded X.509 format |
| Export metadata - Service Provider | Exports an XML file containing the SAML Service Provider metadata which is needed to configure the 'relying party trust' in the IdP server |
| Import metadata - Identity Provider | Imports an XML file that contains the Identity Provider metadata for the SAML configuration |
The following screenshot shows an example of a completed configuration in IPS Manager:
Configuration for an Azure AD IdP
The table shows the standard settings for Azure AD.
| Setting | Description |
|---|---|
| Provider name | An arbitrary friendly name for the IdP, e.g. 'AzureAD' |
| Provider URL | https://sts.windows.net/00.../ [Azure AD Identifier] |
| ACS binding | 'POST' (default setting) |
| Single sign on URL | https://login.microsoft.com/00.../wsfed [Login URL] |
| Single sign on binding | 'Redirect' (default setting) |
| Single logout URL | https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 [Logout URL] |
| Single logout binding | 'Redirect' (default setting) |
| Username claim | 'Email address' |
| Clock skew | Number of minutes time difference allowed between the IdP and IPS machine clocks (default 3 minutes, range 1 to 60 minutes) |
| Reject unsigned assertion | Enabled (default setting) |
| Certificate | Upload the SAML signing certificate exported from Azure AD, in Base 64-Encoded X.509 format |
| Export metadata - Service Provider | Exports an XML file containing the SAML Service Provider metadata which is needed to configure the Enterprise Application in Azure AD |
| Import metadata - Identity Provider | Imports an XML file that contains the Azure AD IdP metadata for the SAML configuration |
Configuration for a Citrix NetScaler IdP
The table shows the standard settings for Citrix NetScaler, assuming that there is a NetScaler server at the DNS address 'netscaler.domain.mycompany.com'.
| Setting | Description |
|---|---|
| Provider name | An arbitrary friendly name for the IdP, e.g. 'NetScaler' |
| Provider URL | https://netscaler.domain.mycompany.com |
| ACS binding | 'POST' (default setting) |
| Single sign on URL | https://netscaler.domain.mycompany.com/saml/login |
| Single sign on binding | 'Redirect' (default setting) |
| Single logout URL | https://netscaler.domain.mycompany.com/cgi/logout |
| Single logout binding | 'Redirect' (default setting) |
| Username claim | 'Name ID' (default setting) |
| Clock skew | Number of minutes time difference allowed between the IdP and IPS machine clocks (default 3 minutes, range 1 to 60 minutes) |
| Reject unsigned assertion | Enabled (default setting) |
| Certificate | Upload the SAML signing certificate exported from NetScaler, in Base 64-encoded X.509 format |