Skip to main content


Workday Adaptive Planning KB


Explains how to configure Adaptive Insights to accept SAML SSO tokens from your instance of Microsoft Active Directory Federation Services 2.0 (AD FS 2.0). Your instance of AD FS is an identity provider and Adaptive Insights is a service provider. After completing these steps, you will have configured a identity provider initiated SSO login from your AD FS 2.0 instance to Adaptive Insights.


  • A machine that:
    • Has Windows Server 2008 R2 and AD FS 2.0 installed
    • Has the AD FS 2.0 Rollup 2 hotfix installed and the usage of the Relay­State parameter enabled. See The AD FS 2.0 Rollup 2 Hotfix for more.
    • Is included within a domain
  • An Adaptive Insights account with administrative permissions
  • A confirmation email from Adaptive Insights stating that SAML has been provisioned on your Adaptive Insights instance
  • A certification authority verified token signing certificate.

To export the MS AD FS token signing certificate:

  1. Go to MS AD FS Management Console > Service > Certificates.

  2. Right-click Token-Signing in the certificates list and click View Certificate

  3. Go to the Details tab and click Copy to File…

  4. When the Certificate Export Wizard appears, click Next.

  5. Select DER encoded binary X.509 (.cer), and click Next.

  6. Select a directory to save the file and give it a name, and click Next.

  7. Click Finish.

This document uses ADFS_HOST as a placeholder in text to refer to the AD FS website. Replace that with your AD FS 2.0 Web site address. 

The AD FS 2.0 Rollup 2 Hotfix

If you have not already installed the hotfix, go here: 

After installing the hotfix, enable the usage of the RelayState parameter in the Identity-provider-initiated SSO :

  1. Open the inetpub\adfs\ls\web.config file in an editor.

  2. Locate the section beginning with <microsoft.identityServer.web>

  3. Add this line  to that section:
    <useRelayStateForIdpInitiatedSignOn enabled="true" />

  4. Save the file.

Configure Adaptive Insights as a Relying Party

A relying party is a web application or web service that relies on claims, which are extracted from tokens issued by an STS (Security Token Service). Adaptive Insights is the relying party and your AD FS 2.0 instance is an STS.

  1. Navigate to the AD FS 2.0 Management console.

  2. Click AD FS 2.0 and expand Trust Relationships.

  3. Right-click Relying Party Trusts and click Add Relying Party Trust.

  4. On the Select Data Source page, select Enter data about the relying party manu­ally, and click Next.

  5. Specify any appropriate name for the display name (for example, AdaptiveInsights), enter the notes if any and click Next.

  6. Select AD FS 2.0 Profile.

  7. Skip the Configure Certificate step.

  8. Set up the Adaptive Insights SSO URL, which you will get from the SAML Settings screen.

    as shown below.

  9. On the Configure Identifiers page, enter the URL from the SAML Settings screen in Planning as the identifier and click Add.

  10. On the next page, select Permit all users access to this relying party.  Select Deny if you want to assign this application to specific users later and click Next.

  11. On the Ready to Add Trust page, click Next.

  12. On the Finish page, clear Open the Edit Claims Rules dialog for this relying party trust when the wizard closes, and click Close.

Configuring Claim Rules

You will create some sample claim rules. You can modify the claim rules to satisfy your requirements for SAML authentication.

Sample Claim Rule #1

In this claim rule, the Email-Address value of a user will be sent as an attribute statement in the SAML response. You can use any LDAP attribute in the SAML token as long as that attribute uniquely identifies each user. Similarly, for the Outgoing Claim Type, choose one from the list or type in the name.

  1. Right-click the AdaptiveInsights entry in the Relying Party Trusts list and select Edit Claim Rules.

  2. Click Add Rule from the Issuance Transform Rules tab.

  3. Select Send LDAP Attribute as Claims from Claim Rule template drop-down.

  4. Click Next.

  5. Give the claim a name like Email as Claim.

  6. Set the Attribute Store field to Active Directory, the LDAP Attribute to Email-Addresses, and the Outgoing Claim Type to Email Address.

  7. Click Finish.

Sample Claim Rule #2

In this claim rule, we will send the email address configured in Claim Rule #1 as the Nam­eID of the subject.

  1. Click Add Rule.

  2. Select Transform an Incoming Claim as the claim rule template to use.

  3. Give it a name. In this example, we are using Email Address to Name ID.

  4. The incoming claim type should be E-mail Address (OR it must match the outgoing claim type used in Sample Claim Rule #1).

  5. Set Outgoing claim type to Name ID and Outgoing name ID format to Email.

  6. Select Pass through all claim values.

  7. Click Finish.

This rule will send the E-mail-Address value of a user as the NameID of the subject with the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Setting up AD FS as Identity Provider in Adaptive Insights

In this section, you will configure your Adaptive Insights instance to accept SAML/SSO tokens from your AD FS 2.0 installation. The steps in this section use the sample claim rules described above; if you have created different rules, you will need to alter these instructions accordingly.

  1. Log in to your Adaptive instance as a user with User Administrator permissions.

  2. Go to Admin > Manage SAML SSO Settings.

  3. Enter the following settings:

    1. Identity provider name: Enter your AD FS 2.0 server name here.

    2. Identity provider Entity ID: Enter the value found on the FS Server's AD FS 2.0 Management Console.
      To find this, right-click Service, click Edit Federation Services Properties, and copy the value from Federation Service Identifier field.

    3. Identity provider single sign-on URL: Enter the URL similar to (this is the URL from MS AD FS side to directly log in to Adaptive Insights.):https://ADFS_HOST/adfs/ls

    4. Custom logout URL: Optional. Enter a URL to load when the user clicks Logout from Adaptive Insights.
      If a URL not specified, the Adaptive Insights login page will be used.

    5. Identity Provider Certificate: Select the certificate file included in Prerequisites.

    6.  SAML user ID type: Select the user's federation id.
      If you set up your claim rule to use the user’s email address and that address is the same as the login field on the user’s profile, you can select User's Adaptive Insights user name for SAML User ID.

    7. SAML user ID location: If you only configured Sample Claim Rule #1 in the claim rules of the relying party, then select User ID in Attribute.
      If you configured Sample Claim Rule #2, then select User ID for NameID of Sub­ject.

    8. SAML attribute and SAML NameID format: You only need to enter one of these. If you only configured Sample Claim Rule #1, fill in the SAML attribute field with the outgoing claim type from Sample Claim Rule #1 and leave the SAML NameID format field blank.
      If you configured both sample claim rules, you can skip the SAML attribute field and fill in the SAML NameID field with the outgoing name ID format from Sample Claim Rule #2 (Email).

    9. Enable SAML: Select Not Enabled (this is the default value). After testing the configuration, return to this screen and enable SAML for other users.

  4. Click Save.
    The Adaptive Insights Admin Overview page will load.

  5. Go back to the Manage SAML SSO Settings page to verify that the settings were saved successfully. Specifically, verify the issuer and validity of the identity provider certificate.

  6. Look for Adaptive Insights SSO URL at the bottom of the page, and copy the entire string value. Save this value as you will need it in the next section.

Complete the Configuration of the AD FS Relying Party

You will complete the AD FS relying party setup, which you started in Configuring Adaptive Insights as a Relying Party.

  1. Navigate back to your AD FS 2.0 administration console.

  2. Right-click AdaptiveInsights in the Relying Party Trusts list and select Properties.

  3. Click the Endpoints tab and click Add.

  4. Set Endpoint Type to SAML Assertion Consumer.

  5. Set Binding to POST.

  6. Paste the value of the Adaptive Insights SSO URL, which you copied in Step 6 of Setting up MS AD FS as Identity Provider in Adaptive Insights, into the URL field.

  7. Click OK and click Apply in the properties dialog.

Test the Setup

You must test the SAML - SSO login from AD FS 2.0 into Adaptive Insights.

  1. Select a user on the AD FS and on Adaptive Insights. The Adaptive Insights user must have SAML Admin permission.

  2. Enter the email address (or the LDAP attribute selected in Claim Rule #1) in AD FS for that user.

  3. from Adaptive Insights, enter the email address (possibly the same value) in the SAML Federation ID field for the user on the Administration > Users page and click Submit.

  4. Log that AD FS user into a computer that is part of the Active Directory domain.

  5. Within a web browser on that computer, go to

  6. If everything is configured correctly, you will be redirected to the Adaptive Insights welcome page. Enter the username but leave the password field blank on the login page. Click Submit.

After successfully testing your setup,  enable SAML SSO for your users. See Enabling SAML SSO for all Users in Adaptive Insights.

Logging in to Excel Interface for Planning and Office Connect using SAML SSO

Once SAML SSO has been successfully configured and tested, Excel Interface for Planning and OfficeConnect users only need to provide their usernames in the login form. Leave the password field blank.

Excel Interface for Planning or Adaptive Office Connect - Logging in with SAML SSO enabled


  • Was this article helpful?