Overview
Single Sign-On (SSO) allows users of your PlanRadar account to log in using your existing SAML-enabled ID provider, such as Active Directory, OneLogin, and many more. This means users do not have to keep track of yet another email and password.
It also makes it easier to provision new users as users will be automatically created as free subcontractors. The user type and permissions can be changed later by another user with the permission to manage users.
Read more in Create & Manage Users.
Access & Permissions
To activate Single Sign-On (SSO) with SAML, you need an in-house user with the user permission 'Accounts'. Read more in Permissions.
Prepare SAML Identity Provider
The SAML identity provider must be configured to provide three attributes: Email Address as nameid, firstname, and lastname. These attributes allow PlanRadar to properly identify the user and automatically provision them.
Activate SAML with Azure Example
Basic SAML Configuration
- Sign in to the Azure portal as a cloud application admin, or an application admin for your Azure AD tenant.
- Navigate to Azure Active Directory > Enterprise applications > New Application > Non Gallery Application, Add the name “PlanRadar” and then click add.
- Under the Manage section, select Single sign-on.
- Select SAML.
- The Set up Single Sign-On with SAML - Preview page will pop-up.
To edit the basic SAML configuration options:
- Select the Edit icon (a pencil) in the upper-right corner of the Basic SAML Configuration section.
- Update the Basic SAML Configuration based on the data provided by PlanRadar.
Configure User attributes and claims
- In the User Attributes and Claims section, select the Edit icon (a pencil) in the upper-right corner.
- Verify the Name Identifier Value and set the value to user.userprincipalname and the format to emailAddress.
To modify the Name Identifier Value:
- Select the Edit icon (a pencil) for the Name Identifier Value field
- Make the appropriate changes to the identifier format and source, as needed.
For details, see Editing NameId.
- Save the changes once you're done.
To add a claim:
- Select Add new claim at the top of the page.
- Enter the Name and select the appropriate source.
- If you select the Attribute source, you'll need to choose the Source attribute you want to use.
- If you select the Translation source, you'll need to choose the Transformation and Parameter 1 you want to use.
For details, see Adding application-specific claims.
- Save the changes when you're done.
In general all the attributes should be configured like this.
- Finally, go to the SAML Signing Certificate section and share the App Federation Metadata URL
Activate SSO on PlanRadar Account
To activate SSO:
- Click Settings
- Click Account
- Click Account settings
- Select the Enable SSO with SAML checkbox
- Enter your IdP Metadata URL
- Click Enable SSO with SAML
- Once you enable SSO, your metadata will provide your Consumer and Sign on URLs
Once the SSO with SAML is enabled, you can only log in using SAML.
How it Works
SAML Single Sign-On (SSO) works by transferring your identity from one place (the identity provider) to another (PlanRadar). This is done through an exchange of digitally signed XML documents.
For example, if you are logged into a system that acts as an identity provider (e.g. Microsoft Azure, OneLogin, etc.) and want to log into PlanRadar, the following happens:
- You access PlanRadar
- PlanRadar identifies your origin (by application subdomain, user IP address, or similar) and redirects you back to the identity provider, asking for authentication. (This is the authentication request)
- You either have an existing active browser session with the identity provider or establish one by logging into the identity provider.
- The identity provider builds the authentication response in the form of an XML-document containing your username or email address, signs it using an X.509 certificate, and posts this information to PlanRadar.
- PlanRadar, which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
- Your identity is established and you get granted app access.
If you need any help to in activating SSO with SAML, reach out to our Support Team at support@planradar.com.
Comments
0 comments
Please sign in to leave a comment.