User authentication and Identity Providers
This topic section explains the types of Identity Provider (IdP) architecture which are supported for Planning Space. The IdP is configured independently (and can be different) for each Planning Space tenant.
For an implementation guide to using an IdP server or service, and the necessary tenant configuration, see Identity Provider (IdP) setup.
'SAML2' type user accounts
IPS Server can perform direct authentication of 'Local' type users, where the password is stored in the Planning Space tenant database. (See Tenant users and administrators.)
For authentication that is redirected to an external identity provider, the user account type 'SAML2' is provided. These user accounts are authenticated by a claims-based (OAuth 2.0) authentication process, where a bearer token is generated by the external identity management service or platform.
For version 16.5 Update 13 and later: The allowed authentication methods (Local, SAML2, Windows Active Directory) can be enabled or disabled for each tenant in IPS Manager (see Tenant authentication methods). If SAML2 is the only allowed authentication then login at the Planning Space screen will be bypassed.
For version 16.5 Update 1 and later: SAML-authenticated user accounts will login automatically without validation when a valid login token can be retrieved from the identity management service; the checkbox Login automatically can be used to disable/enable the automatic login function. Also the authentication function has been improved to support 'login_hint' for compatibility with Azure AD.
Important: IdP-based authentication replaces the Windows NTLM-based authentication used in previous versions of Planning Space. Although the 'Windows Active Directory' account type is offered for purposes of compatibility, authentication in that case does not use client-side authentication - it involves the 'DOMAIN\username' and password credentials being passed in explicit form between client and server, with authentication performed by the IPS Server against Windows Active Directory.
It is possible to do bulk import of SAML2 user account information into a Planning Space tenant, using the 'Import from CSV' function. For more information see Tenant users and administrators.
Automatic provisioning of SAML2 tenant user accounts
For version 16.5 Update 12 and later: Automatic provisioning of SAML2 tenant user accounts is possible based on the Identity Provider. This means that a new tenant user account can be created automatically when a user logs in to Planning Space for the first time using an account that is defined (and enabled to access Planning Space) by the Identity Provider's domain authentication services. It is also possible to externally control the Planning Space user's membership of workgroups - by editing the user's domain account the Planning Space SAML2 account will synchronize whenever the user logs in to Planning Space. For configuration details see Automatic provisioning of tenant user accounts.
Advantages of IdP-based authentication
IdP-based authentication simplifies the login process for users because the token can be used to consume different services via the Planning Space application client, web browser or OData API endpoints.
Security is improved because SAML provides a single point of authentication (the Identity Provider) which validates tokens that are secured by encryption only from trusted or specified certificates (subject to configuration).
SSO (Single Sign-on) can be set up for seamless login across different services; the steps required are outlined in the specific IdP instructions.
Note: SSO is implemented (since version 16.5) for login to the tenant webserver followed by launching of the Planning Space client application. Therefore users do not need to re-enter their credentials. The IPS service setting 'Launch Code Validity Period' determines the validity period for SSO (default is 15 seconds).
For version 16.5 Update 16 and later: Support is provided for Planning Space client logins that are initiated by the IdP server. This allows sign-ins from an IdP web portal/gateway page (which will typically display a list of available service providers), if this is supported by the IdP.
Using IdP-based authentication, companies can easily federate their user accounts management with the Quorum cloud-hosted Planning Space service. See the Planning Space Cloud Guide for more information.
Bearer Token lifetime
The token issued by the IdP has a set lifetime which applies to all users (including tenant Administrators) and for interactive access to the Planning Space application, or access using the Web API. However, in interactive access the application software performs automatic refresh of the token so long as the session is active, whereas for API access you will need to set up the code for token management/refresh yourself.
Important: If an interactive client user does not login to Planning Space using the configured Service Address (which will be the load balancer’s address for a clustered deployment) then the automated process for token refresh will fail and the user’s session will silently finish after the initial token expires; this will result in 'unexplained' errors if the user tries to continue the session. The user session must be restarted/re-authenticated to refresh the bearer token. For version 16.5 Update 7 and later: a warning message will be given to the user when the token refresh process has failed; however the user must still restart her session and re-authenticate.
The token lifetime is set for each tenant by the IPS Administrator, using the Token lifetime setting in the IPS Manager user interface (or it can be set using the Admin API or IPS PowerShell module (Automation cmdlets)).
Note: the lifetime cannot be modified by a tenant Administrator. For reasons of protecting the Planning Space service from unauthorized use, the token lifetime is set relatively short: 15 minutes (i.e., 900 seconds) is the default. The minimum lifetime setting is 5 minutes, and the maximum lifetime is 1440 minutes.