Skip to main content

logoCorrectSize.png

Workday Adaptive Planning Knowledge Center

SAML SSO MS-AD FS 2.0

Explains how to configure Adaptive Planning to accept SAML SSO tokens from your instance of Microsoft Active Directory Federation Services 2.0 (AD FS 2.0). Your instance of AD FS is an identity provider and Adaptive Planning is a service provider. After completing these steps, you will have configured a identity provider initiated SSO login from your AD FS 2.0 instance to Adaptive Planning.

Prerequisites

  • A machine that:
    • Has Windows Server 2008 R2 and AD FS 2.0 installed
    • Has the AD FS 2.0 Rollup 2 hotfix installed and the usage of the Relay­State parameter enabled. See The AD FS 2.0 Rollup 2 Hotfix for more.
    • Is included within a domain
  • An Adaptive Planning account with administrative permissions
  • A confirmation email from Adaptive Planning stating that SAML has been provisioned on your Adaptive Planning instance
  • A certification authority verified token signing certificate.

To export the MS AD FS token signing certificate:

  1. Go to MS AD FS Management Console > Service > Certificates.

  2. Right-click Token-Signing in the certificates list and click View Certificate
    AD-FS_View_Certificate.png
     

  3. Go to the Details tab and click Copy to File…

  4. When the Certificate Export Wizard appears, click Next.

  5. Select DER encoded binary X.509 (.cer), and click Next.

  6. Select a directory to save the file and give it a name, and click Next.

  7. Click Finish.

This document uses ADFS_HOST as a placeholder in text to refer to the AD FS website. Replace that with your AD FS 2.0 Web site address. 

The AD FS 2.0 Rollup 2 Hotfix

If you have not already installed the hotfix, go here:

http://support.microsoft.com/kb/2681584 

After installing the hotfix, enable the usage of the RelayState parameter in the Identity-provider-initiated SSO :

  1. Open the inetpub\adfs\ls\web.config file in an editor.

  2. Locate the section beginning with <microsoft.identityServer.web>

  3. Add this line  to that section:
    <useRelayStateForIdpInitiatedSignOn enabled="true" />

  4. Save the file.

Configure Adaptive Planning as a Relying Party

A relying party is a web application or web service that relies on claims, which are extracted from tokens issued by an STS (Security Token Service). Adaptive Planning is the relying party and your AD FS 2.0 instance is an STS.

  1. Navigate to the AD FS 2.0 Management console.

  2. Click AD FS 2.0 and expand Trust Relationships.

  3. Right-click Relying Party Trusts and click Add Relying Party Trust.

  4. On the Select Data Source page, select Enter data about the relying party manu­ally, and click Next.

    AD-FS_Add_Relying_Party_Trust_Wizard_Select_Data_Source.png
  5. Specify any appropriate name for the display name (for example, AdaptivePlanning), enter the notes if any and click Next.

  6. Select AD FS 2.0 Profile.

  7. Skip the Configure Certificate step.

  8. Set up the Adaptive Planning SSO URL, which you will get from the SAML Settings screen.

  9. On the Configure Identifiers page, enter the URL from the SAML Settings screen in Planning as the identifier and click Add.

  10. On the next page, select Permit all users access to this relying party.  Select Deny if you want to assign this application to specific users later and click Next.

  11. On the Ready to Add Trust page, click Next.

  12. On the Finish page, clear Open the Edit Claims Rules dialog for this relying party trust when the wizard closes, and click Close.

Configuring Claim Rules

You will create some sample claim rules. You can modify the claim rules to satisfy your requirements for SAML authentication.

Sample Claim Rule #1

In this claim rule, the Email-Address value of a user will be sent as an attribute statement in the SAML response. You can use any LDAP attribute in the SAML token as long as that attribute uniquely identifies each user. Similarly, for the Outgoing Claim Type, choose one from the list or type in the name.

  1. Right-click the AdaptivePlanning entry in the Relying Party Trusts list and select Edit Claim Rules.

  2. Click Add Rule from the Issuance Transform Rules tab.

  3. Select Send LDAP Attribute as Claims from Claim Rule template drop-down.

  4. Click Next.

  5. Give the claim a name like Email as Claim.

  6. Set the Attribute Store field to Active Directory, the LDAP Attribute to Email-Addresses, and the Outgoing Claim Type to Email Address.

  7. Click Finish.

Sample Claim Rule #2

In this claim rule, we will send the email address configured in Claim Rule #1 as the Nam­eID of the subject.

  1. Click Add Rule.

  2. Select Transform an Incoming Claim as the claim rule template to use.

  3. Give it a name. In this example, we are using Email Address to Name ID.

  4. The incoming claim type should be E-mail Address (OR it must match the outgoing claim type used in Sample Claim Rule #1).

  5. Set Outgoing claim type to Name ID and Outgoing name ID format to Email.

  6. Select Pass through all claim values.

  7. Click Finish.

This rule will send the E-mail-Address value of a user as the NameID of the subject with the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Setting up AD FS as Identity Provider in Adaptive Planning

In this section, you will configure your Adaptive Planning instance to accept SAML/SSO tokens from your AD FS 2.0 installation. The steps in this section use the sample claim rules described above; if you have created different rules, you will need to alter these instructions accordingly.

  1. Log in to your Adaptive Planning instance as a user with User Administrator permissions.

  2. Go to Admin > Manage SAML SSO Settings.

  3. Enter the following settings:

    1. Identity provider name: Enter your AD FS 2.0 server name here.

    2. Identity provider Entity ID: Enter the value found on the FS Server's AD FS 2.0 Management Console.
      To find this, right-click Service, click Edit Federation Services Properties, and copy the value from Federation Service Identifier field.

    3. Identity provider single sign-on URL: Enter the URL similar to (this is the URL from MS AD FS side to directly log in to Adaptive Planning.):https://ADFS_HOST/adfs/ls

    4. Custom logout URL: Optional. Enter a URL to load when the user clicks Logout from Adaptive Planning.
      If a URL not specified, the Adaptive Planning login page will be used.

    5. Identity Provider Certificate: Select the certificate file included in Prerequisites.

    6.  SAML user ID type: Select the user's federation id.
      If you set up your claim rule to use the user’s email address and that address is the same as the login field on the user’s profile, you can select User's Adaptive Planning user name for SAML User ID.

    7. SAML user ID location: If you only configured Sample Claim Rule #1 in the claim rules of the relying party, then select User ID in Attribute.
      If you configured Sample Claim Rule #2, then select User ID for NameID of Sub­ject.

    8. SAML attribute and SAML NameID format: You only need to enter one of these. If you only configured Sample Claim Rule #1, fill in the SAML attribute field with the outgoing claim type from Sample Claim Rule #1 and leave the SAML NameID format field blank.
      If you configured both sample claim rules, you can skip the SAML attribute field and fill in the SAML NameID field with the outgoing name ID format from Sample Claim Rule #2 (Email).

    9. Enable SAML: Select Not Enabled (this is the default value). After testing the configuration, return to this screen and enable SAML for other users.

  4. Click Save.
    The Adaptive Planning Admin Overview page will load.

  5. Go back to the Manage SAML SSO Settings page to verify that the settings were saved successfully. Specifically, verify the issuer and validity of the identity provider certificate.

  6. Look for Adaptive Planning SSO URL at the bottom of the page, and copy the entire string value. Save this value as you will need it in the next section. For example:

https://login.adaptiveplanning.com:443/samlsso/VkdHUKVFTkNPQURGU0MzNA--

Complete the Configuration of the AD FS Relying Party

You will complete the AD FS relying party setup, which you started in Configuring Adaptive Planning as a Relying Party.

  1. Navigate back to your AD FS 2.0 administration console.

  2. Right-click AdaptivePlanning in the Relying Party Trusts list and select Properties.

  3. Click the Endpoints tab and click Add.

  4. Set Endpoint Type to SAML Assertion Consumer.

  5. Set Binding to POST.

  6. Paste the value of the Adaptive Planning SSO URL, which you copied in Step 6 of Setting up MS AD FS as Identity Provider in Adaptive Planning, into the URL field.

  7. Click OK and click Apply in the properties dialog.

Test the Setup

You must test the SAML - SSO login from AD FS 2.0 into Adaptive Planning.

  1. Select a user on the AD FS and on Adaptive Planning. The Adaptive Planning user must have SAML Admin permission.

  2. Enter the email address (or the LDAP attribute selected in Claim Rule #1) in AD FS for that user.

  3. from Adaptive Planning, enter the email address (possibly the same value) in the SAML Federation ID field for the user on the Administration > Users page and click Submit.

  4. Log that AD FS user into a computer that is part of the Active Directory domain.

  5. Within a web browser on that computer, go to https://login.adaptiveinsights.com/app

  6. If everything is configured correctly, you will be redirected to the Adaptive Planning welcome page. Enter the username but leave the password field blank on the login page. Click Submit.

After successfully testing your setup,  enable SAML SSO for your users. See Enabling SAML SSO for all Users in Adaptive Planning.

Logging in to Excel Interface for Planning and Office Connect using SAML SSO

Once SAML SSO has been successfully configured and tested, Excel Interface for Planning and OfficeConnect users only need to provide their usernames in the login form. Leave the password field blank.

 

  • Was this article helpful?