Skip to main content


Workday Adaptive Planning Knowledge Center

Steps: Configure SAML SSO Using MS-AD FS 3.0

Provides instructions for configuring Adaptive Planning to accept SAML SSO tokens from your instance of Microsoft Active Directory Federation Services 3.0 (MS AD FS 3.0). In SAML terms, your instance of MS AD FS is an identity provider and Adaptive Planning is a service provider. After completing these steps, you will have configured a identity provider initiated SSO login from your MS AD FS 3.0 instance to Adaptive Planning.


  • A computer that:
    • Has Windows Server 2008 R2 or RelayState parameter enabled. See MS AD FS 3.0 RelayState for more information.
    • Is included within a domain
  • An Adaptive Planning account with administrative permissions
  • A confirmation email from Adaptive Planning stating that SAML has been provisioned on your instance
  • A certification authority verified token signing certificate

To export the MS AD FS token signing certificate:

  1. Go to MS AD FS Management Consol > Service > Certificates.
  2. Right-click Token-Signing in the certificates list, then click View Certificate. 

  3. Go to the Details tab and click Copy to File...

  4. When the Certificate Export Wizard appears, click Next.

  5. Select DER encoded binary X.509 (.cer), and click Next.

  6. Select a directory to save the file, name it, and click Next.

  7. Click Finish.

This document uses ADFS_HOST as a placeholder in text to refer to the MS AD FS website. Replace that with your MS AD FS 3.0 Web site address. The screenshots show the address of the test server.

MS AD FS 3.0 RelayState

Identity-provider-initiated SSO by following these steps:

  1. For ADFS 3.0, open the following file in Notepad:

  2. In the microsoft.identityServer.web section, add a line for useRelayStateForIdpInitiatedSignOn as follows, and save the change:



    <useRelayStateForIdpInitiatedSignOn enabled="true" />


  3. Save the file.

  4. Restart the Active Directory Federation Services (adfssrv) service.

Configuring Adaptive Planning as a Relying Party

A relying party is a web application or web service that relies on claims, which are extracted from tokens issued by an STS (Security Token Service). Adaptive Planning is the relying party and your MS AD FS 3.0 instance is an STS.

  1. Navigate to the MS AD FS 3.0 Management console.

  2. Click MS AD FS 3.0 and expand Trust Relationships.

  3. Right-click Relying Party Trusts and click Add Relying Party Trust.

  4. On the Select Data Source page, select Enter data about the relying party manu­ally, and click Next.

  5. Specify any appropriate name for the display name. Example: AdaptivePlanning. Enter the notes if any and click Next.

  6. Select AD FS profile.

  7. Skip the Configure Certificate step.

  8. Set up the Adaptive Planning SSO URL (which you will get from the SAML Settings screen in Planning).

  9. On the Configure Identifiers page, enter the URL from the SAML Settings screen in Planning as the identifier and click Add.

  10. On the next page, select Permit all users access to this relying party (select Deny if you want to assign this application to specific users later) and click Next.

  11. On the Ready to Add Trust page, click Next.

  12. On the Finish page, clear Open the Edit Claims Rules dialog for this relying party trust when the wizard closes, and click Close.

Configuring Claim Rules

You will create some sample claim rules. You can choose to change the claim rules to satisfy your requirements for SAML authentication.

Sample Claim Rule #1

In this claim rule, the Email-Address value of a user will be sent as an attribute statement in the SAML response. You can use any LDAP attribute in the SAML token as long as that attribute uniquely identifies each user. Similarly, for the Outgoing Claim Type, choose one from the list or type in the name.

  1. Right-click the AdaptivePlanning entry in the Relying Party Trusts list and select Edit Claim Rules.

  2. Click Add Rule from the Issuance Transform Rules tab.

  3. Select Send LDAP Attribute as Claims from Claim Rule template drop-down.

  4. Click Next.

  5. Give the claim a name like Email as Claim.

  6. Set the Attribute Store field to Active Directory, the LDAP Attribute to Email-Addresses, and the Outgoing Claim Type to Email Address.

  7. Click Finish.

  8. SAML attribute: If you configured only one Claim Rule #1, then to enter Outgoing Claim Type from Claim Rule #1.
    1. To find the Outgoing Claim type, go to ADFS Management console.

    2. Click on Service > Claim Descriptions

    3. Right click on Claim type you are using and click properties.

    4. Copy the value in "Claim Type" and paste in the SAML attribute name. It might look like
      "" or the short name that you might have typed. AD-FS_Edit_Claim_Rules_3.0.png

Sample Claim Rule #2

In this claim rule, we will send the email address configured in Claim Rule #1 as the NameID of the subject.

  1. Click Add Rule.

  2. Select Transform an Incoming Claim as the claim rule template to use.

  3. Give it a name. In this example, we are using Email Address to Name ID.

  4. The incoming claim type should be E-mail Address (OR it must match the outgoing claim type used in Sample Claim Rule #1).

  5. Set Outgoing claim type to Name ID and Outgoing name ID format to Email.

  6. Select Pass through all claim values.

  7. Click Finish.

This rule will send the E-mail-Address value of a user as the NameID of the subject with the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.


Setting up MS AD FS as Identity Provider in Adaptive Planning

In this section, you will configure your Adaptive Planning instance to accept SAML/SSO tokens from your MS AD FS 3.0 installation. The steps in this section use the sample claim rules described above; if you have created different rules, you will need to alter these instructions accordingly.

  1. Log in to your Adaptive Planning instance as a user with User Administrator permissions.

  2. Go to Admin > SAML SSO Settings.

  3. Enter the following settings:

  1. Identity provider name: Enter your MS AD FS 3.0 server's name here.

  2. Identity provider Entity ID: Enter the value found on the FS Server's MS AD FS 3.0 Management Console.
    To find this, right-click Service, click Edit Federation Services Properties, and copy the value from Federation Service Identifier field.

  3.  Identity provider single sign-on URL: Enter the URL similar to (this is the URL from MS AD FS side to directly log in to Adaptive Planning):

  4.  Custom logout URL: Optional. Enter a URL to load when the user clicks Logout from Adaptive Planning.
    If a URL is not specified, the Adaptive Planning login page is used.

  5. Identity Provider  Certificate: Select the certificate file described in the Prerequisites.

  6. SAML user ID type: Select the user's federation ID.
    If you set up your claim rule to use the user’s email address and that address is the same as the login field on the user’s profile, you can select User's Adaptive Planning user name for SAML User ID.

  7. SAML user ID location: If you only configured Sample Claim Rule #1 in the claim rules of the relying party, then select User ID in Attribute.
    If you configured Sample Claim Rule #2, then select User ID for NameID of Sub­ject.

  8. SAML attribute and SAML NameID format: You only need to enter one of these. If you only configured Sample Claim Rule #1, fill in the SAML attribute field with the outgoing claim type from Sample Claim Rule #1 and leave the SAML NameID format field blank.
    If you configured both sample claim rules, you can skip the SAML attribute field and fill in the SAML NameID field with the outgoing name ID format from Sample Claim Rule #2 (Email).

  9.  Enable SAML: Select Not Enabled (this is the default value). After testing the configuration, return to this screen and enable SAML for other users.

  1. Click Save.
    The Admin overview displays.
  2. Go back to the SAML SSO Settings page to verify that the settings were saved successfully. Verify the issuer and validity of the identity provider certificate.
  3. Look for Adaptive Planning SSO URL at the bottom of the page, and copy the entire string value. Save this value as you will need it in the next section.

Completing the Configuration of the MS AD FS Relying Party

In this section, we will complete the MS AD FS relying party setup, which you started in Configuring Adaptive Planning as a Relying Party.

  1. Navigate back to your MS AD FS 3.0 administration console.

  2. Right-click AdaptivePlanning in the Relying Party Trusts list and select Properties.

  3. Click the Endpoints tab and click Add.

  4. Set Endpoint Type to SAML Assertion Consumer.

  5. Set Binding to POST.

  6. Paste the value of the Adaptive Planning SSO URL into the URL field. Note that you copied the URL in the step Setting up MS AD FS as Identity Provider in Adaptive Planning.

  7.    Click OK and click Apply in the properties dialog.

Testing the Setup

Test the SAML/SSO login from MS AD FS 3.0 into Adaptive Planning.

  1. Select a user on the MS AD FS side and the Adaptive Planning side. The Adaptive Planning user must have a SAML Admin permission.

  2. Enter the email address (or the LDAP attribute selected in Claim Rule #1) in MS AD FS for that user.

  3. From Adaptive Planning, enter the email address (possibly the same value) in the SAML Federation ID field for the user on the Admin > Edit User page.

  4. Log that AD FS user into a computer that is part of the Active Directory domain.

  5. Within a web browser on that computer, visit

  6. If everything is configured correctly, you will be redirected to the Adaptive Planning welcome page. Enter the username but leave the password field blank on the login page. Click Submit.

After successfully testing your setup, you can enable SAML SSO for your users. See Enabling SAML SSO for all Users in Adaptive Planning.

Logging in to Excel Interface for Planning and Office Connect using SAML SSO

Once SAML SSO has been successfully configured and tested, Excel Interface for Planning and OfficeConnect users only need to provide their usernames in the login form. Leave the password field blank.

  • Was this article helpful?