Single Sign-On for users outside my organisation

I've been given the task of monitoring the users that are set up in our existing Anaplan workspace. Company policy says that all users should use SSO, but we have a number of existing users who are not set up as SSO users. Some of those are anaplan.com users and some of them work for our consulting partner.

If I simply make them SSO users by checking the appropriate boxes on the user list in Anaplan, what system would authenticate them? Their own organisation's SSO? If so, I don't think that's the outcome we're looking for 🙂

Given the obvious intention of my organisation's SSO policy - that we have control over system access - do I need to arrange for those external users to have email addresses issued by my organisation?

Thanks!

Answers

  • @steve 

     

    As far as I know all the Visitors (be it Anaplan folks or consulting partners) to your organization environment can't be SSO users if they aren't on Active Directory of an organization.  One of the reason that I could think of is because all of the Visitors will not have access to Prod environment and will have access to Dev and/or Test environment it is ok for them to access Anaplan as Non SSO users. But I understand that some organizations want to streamline everything with no exceptions given. 

     

    If you make all these Visitors as SSO Users they will immediately lose the access to the models

  • Agree with @Misbah, from experience if SSO is switched on you can log into a workspace but not see any models/pages unless set up on the workspace organisations SSO.

     

    If having everyone use SSO is a priority then they will need company SSO access, otherwise, leave them as exception users and limit access to only DEV models. 

  • @steve 

     

    As per experience, we all know the benefits of being SSO and non SSO users; that's why org may also looking forward to make inhouse users as SSO and external as non-SSO (unless consultant / outside company users are onboarded with company id - as per Active Dir).

     

    Now, if u make any Inhouse / Internal non-SSO user as SSO user (by clicking the checkbox) then will there be any compliance issue (per say) come in picture or not.... I believe no as they are from Active directory (and certainly managed by network / IT team).

     

    Given the access part to workspaces (and eventually models), I hope the user management part is very cautiously taken care by Prod / perprod WorkSpace admin..

     

    You are always welcome here to get the insight on the solution; just wanted to put a thought, You may double check with inhouse Workspace admin also..

    Please do share the approach you will take to cater the ask on SSO

  • Hello @steve,

     

    Former Anaplan Support member here! If you enable SSO on a visitor's email account, they will be unable to access Anaplan as it would require them to have an account created within your organization's domain.

     

    The way to think about this is with the following: 

     

    1) How important is security in your organization?

    2) Do you wish your visitors to have the same level of security as your employees? In other words, do you want your visitors to login through SSO like everyone else?

     

    If your company values security and access via Single Sign On- what you will need to do is:

     

    -You can partner with your internal IT teams and have them create alias accounts for your visitors.

    -Once your visitors have alias accounts created, you would add those accounts to your models with "Single Sign On" enabled.

     

     Otherwise, you can set visitors as non-SSO. Meaning keeping the Single Sign On box unchecked for your visitors. 

     

    Let me know if you have further questions.

     

    Thanks,

    Daanish

  • @steve  from my personal experience: the only case I know this can work is if both Tenant and visitor users are using the same cloud Active directory (for example Azure).

     

    If the visitors e-mails are added as guests in Tenant Azure (for example by sharing some files through SharPoint) and depending on how Anaplan Application SSO is setup in Tenant's Azure.. then the visitor users could be setup to use Single-Sign-On and successfully connect to Tenant Anaplan using the SSO link. 

     

    Of course, the visitor users will not be able to toggle between Tenants anymore while they are connected to the Tenant's Anaplan.

     

    Hope it helps

    Alex