User authentication and Identity Providers

This topic section explains the types of Identity Provider (IdP) architecture which are supported for Planning Space. The IdP is configured independently (and can be different) for each Planning Space tenant.

For an implementation guide to using an IdP server or service, and the necessary tenant configuration, see Identity Provider (IdP) setup.

'SAML2' type user accounts

IPS Server can perform direct authentication of 'Local' type users, where the password is stored in the Planning Space tenant database. (See Tenant users and administrators.)

For authentication that is redirected to an external identity provider, the user account type 'SAML2' is provided. These user accounts are authenticated by a claims-based (OAuth 2.0) authentication process, where a bearer token is generated by the external identity management service or platform. SAML-authenticated user accounts will login automatically without validation when a valid login token can be retrieved from the identity management service; the check box Login automatically can be used to disable/enable the automatic login function (the authentication function supports 'login_hint' for compatibility with Azure AD).

It is possible to do bulk import of SAML2 user account information into a Planning Space tenant, using the 'Import from CSV' function. For more information see Tenant users and administrators.

Note: The allowed authentication methods (Local, SAML2, Windows Active Directory) can be enabled or disabled for each tenant in IPS Manager (see Tenant authentication methods). If SAML2 is the only allowed authentication then login at the Planning Space screen will be bypassed.

Automatic provisioning of SAML2 tenant user accounts

Automatic provisioning of SAML2 tenant user accounts is possible based on the Identity Provider. This means that a new tenant user account can be created automatically when a user logs in to Planning Space for the first time using an account that is defined (and enabled to access Planning Space) by the Identity Provider's domain authentication services. It is also possible to externally control the Planning Space user's membership of workgroups - by editing the user's domain account the Planning Space SAML2 account will synchronize whenever the user logs in to Planning Space.

For configuration details see Automatic provisioning of tenant user accounts.

Advantages of IdP-based authentication

IdP-based authentication simplifies the login process for users because the token can be used to consume different services via the Planning Space application client, web browser or OData API endpoints.

Security is improved because SAML provides a single point of authentication (the Identity Provider) which validates tokens that are secured by encryption only from trusted or specified certificates (subject to configuration).

SSO (Single Sign-on) can be set up for seamless login across different services; the steps required are outlined in the specific IdP instructions.

Note: SSO is implemented for login to the Planning Space tenant webserver followed by launching of the Planning Space Desktop client application. Therefore users do not need to re-enter their credentials. The IPS service setting 'Launch Code Validity Period' determines the validity period for SSO (default is 15 seconds).

Support is also provided for Planning Space client logins that are initiated by an IdP server. This allows sign-ins from an IdP web portal/gateway page, which will typically display a list of available service providers.

Bearer Token lifetime

The token issued by the IdP has a set lifetime which applies to all users (including tenant Administrators) and for interactive access to the Planning Space application, or access using the Web API. However, in interactive access the application software performs automatic refresh of the token so long as the session is active, whereas for API access you will need to set up the code for token management/refresh yourself.

Important: If an interactive client user does not login to Planning Space using the configured Service Address (which will be the load balancer’s address for a clustered deployment) then the automated process for token refresh will fail and the user’s session will silently finish after the initial token expires; this will result in 'unexplained' errors if the user tries to continue the session. The user session must be restarted/re-authenticated to refresh the bearer token. A warning message will be given to the user when the token refresh process has failed; however the user must still restart her session and re-authenticate.

The token lifetime is set for each tenant by the IPS Administrator, using the Token lifetime setting in the IPS Manager user interface (or it can be set using the Admin API or IPS PowerShell module (Automation cmdlets)).

Note: the lifetime cannot be modified by a tenant Administrator. For reasons of protecting the Planning Space service from unauthorized use, the token lifetime is set relatively short: 15 minutes (i.e., 900 seconds) is the default. The minimum lifetime setting is 5 minutes, and the maximum lifetime is 1440 minutes.