SAML2 user account

SAML2 accounts are based on token-based authentication, which allows users to access PlanningSpace with corporate Windows user credentials. It is generally possible to configure 'single sign on' (SSO) so that users will not need to type in any credentials more than once per login session.

SAML2 accounts must be authenticated by an external identity provider (IdP) server which supports SAML2 (for example, Microsoft ADFS, Azure Active Directory, Auth0, or Okta).

Instructions

1. Prepare a tenant service provider (SP) metadata file by downloading the template and using find-and-replace in a text editor to change TENANT to your PlanningSpace tenant name.
2. Save and send this file to your IT Services so they can set up PlanningSpace as an SP, following the instructions in the PlanningSpace Deployment Guide (Identity Provider setup). Ask them to export the IdP metadata and token signing certificate, or provide a public metadata URL.
3. Send the metadata file (and certificate if provided; note the XML file extension must be replaced otherwise the file will be blocked as an attachment) to Aucerna Support (support@aucerna.com), who will upload your company IdP metadata to PlanningSpace Cloud.
4. SAML2 user accounts can now be created, and any Local accounts already created (except for 'Administrator') can be converted to SAML2 accounts. This requires setting each Username in UPN format (i.e.,“user@company.com”, typically this is the same as the email address). To confirm a UPN in the Windows domain, type whoami /upn in a PowerShell/Command window on your computer.

Bulk configuration of SAML2 user accounts

If many SAML2 user accounts need to be created or updated, this can be performed in bulk using scripts which automatically pass information between PlanningSpace and the corporate Windows domain user database.

Contact Aucerna Support for more information.

Authentication (login) flow

At login to PlanningSpace Cloud, SAML2 users enter their username (but no password) and the web browser will connect to the configured Identity Provider service (note: it may or may not be necessary to enter a password at this stage, depending on the SSO configuration).

Following successful authentication, the browser is redirected back to the tenant website in PlanningSpace Cloud.

SAML2 user accounts will login automatically without validation when a valid login token can be retrieved from the Identity Provider server. The checkbox Login automatically allows each user to disable/enable the automatic login function.

For more information on authentication flow for SAML2 users, see PlanningSpace Deployment Guide (User authentication and Identity Providers).

Automatic provisioning of SAML2 user accounts

Note: this feature requires PlanningSpace version 16.5 Update 12 or later.

Automatic provisioning of SAML2 tenant user accounts is an optional feature that is based on the Identity Provider and its domain authentication services. When auto-provisioning is active then a new tenant user account can be created automatically when a user logs in to PlanningSpace for the first time using an account that is defined, and enabled to access PlanningSpace, by the Identity Provider's domain user services.

This also enables automated synchronisation of some user account settings between PlanningSpace and the Identity Provider. This means that is possible to externally perform some aspects of PlanningSpace user management from the Identity Provider domain user management system; in particular, the PlanningSpace role-based access permissions can effectively be integrated with organizational role-based access control (RBAC).

For detailed information on auto-provisioning, see PlanningSpace Deployment Guide (Automatic provisioning of tenant user accounts)