Single Sign-On for users outside my organisation

I've been given the task of monitoring the users that are set up in our existing Anaplan workspace. Company policy says that all users should use SSO, but we have a number of existing users who are not set up as SSO users. Some of those are anaplan.com users and some of them work for our consulting partner.

If I simply make them SSO users by checking the appropriate boxes on the user list in Anaplan, what system would authenticate them? Their own organisation's SSO? If so, I don't think that's the outcome we're looking for 🙂

Given the obvious intention of my organisation's SSO policy - that we have control over system access - do I need to arrange for those external users to have email addresses issued by my organisation?

Thanks!

Accepted answers

All comments

Misbah

@steve

As far as I know all the Visitors (be it Anaplan folks or consulting partners) to your organization environment can't be SSO users if they aren't on Active Directory of an organization. One of the reason that I could think of is because all of the Visitors will not have access to Prod environment and will have access to Dev and/or Test environment it is ok for them to access Anaplan as Non SSO users. But I understand that some organizations want to streamline everything with no exceptions given.

If you make all these Visitors as SSO Users they will immediately lose the access to the models

AWhitworth

Agree with @Misbah, from experience if SSO is switched on you can log into a workspace but not see any models/pages unless set up on the workspace organisations SSO.

If having everyone use SSO is a priority then they will need company SSO access, otherwise, leave them as exception users and limit access to only DEV models.

CommunityMember126793

@steve

As per experience, we all know the benefits of being SSO and non SSO users; that's why org may also looking forward to make inhouse users as SSO and external as non-SSO (unless consultant / outside company users are onboarded with company id - as per Active Dir).

Now, if u make any Inhouse / Internal non-SSO user as SSO user (by clicking the checkbox) then will there be any compliance issue (per say) come in picture or not.... I believe no as they are from Active directory (and certainly managed by network / IT team).

Given the access part to workspaces (and eventually models), I hope the user management part is very cautiously taken care by Prod / perprod WorkSpace admin..

You are always welcome here to get the insight on the solution; just wanted to put a thought, You may double check with inhouse Workspace admin also..

Please do share the approach you will take to cater the ask on SSO

DaanishSoomar

Hello @steve,

Former Anaplan Support member here! If you enable SSO on a visitor's email account, they will be unable to access Anaplan as it would require them to have an account created within your organization's domain.

The way to think about this is with the following:

1) How important is security in your organization?

2) Do you wish your visitors to have the same level of security as your employees? In other words, do you want your visitors to login through SSO like everyone else?

If your company values security and access via Single Sign On- what you will need to do is:

-You can partner with your internal IT teams and have them create alias accounts for your visitors.

-Once your visitors have alias accounts created, you would add those accounts to your models with "Single Sign On" enabled.

Otherwise, you can set visitors as non-SSO. Meaning keeping the Single Sign On box unchecked for your visitors.

Let me know if you have further questions.

Thanks,

Daanish

alexpavel

@steve from my personal experience: the only case I know this can work is if both Tenant and visitor users are using the same cloud Active directory (for example Azure).

If the visitors e-mails are added as guests in Tenant Azure (for example by sharing some files through SharPoint) and depending on how Anaplan Application SSO is setup in Tenant's Azure.. then the visitor users could be setup to use Single-Sign-On and successfully connect to Tenant Anaplan using the SSO link.

Of course, the visitor users will not be able to toggle between Tenants anymore while they are connected to the Tenant's Anaplan.

Hope it helps

Alex

Quick Links

Can you help?

Unanswered questions

How have you from-scratch built lot-level, geo-based Inventory Consumption?
We’re working on modeling inventory consumption at the lot level, accounting for shelf life considerations, since we need visibility into which lots may not consume—both for risk reporting and E&O analysis. Each item may have customers with different shelf life requirements. For example, item A may need 270 days for some…
How to bring Row data into Columns?
Hi, Can you help me, how can we get row data into columns using Unique ID? Per attached below first snapshot, I want to bring rountingOrder 4, RecipientName, Sent and Completed dates in 1 row as show in sanpshot 2. Do I need to create Hierarchy list and Map?
How to Design Simulation Planning in Anaplan with Multi-Level User Input and Step-by-Step Logging?
Hi Anaplan Community, I'm working on a simulation planning model where users need the flexibility to input pricing adjustments at any level of the product hierarchy, and I’d love your guidance on best practices. 📌 Scenario Overview: We have a 4-level product hierarchy: Brand Category Sub Category SKU (lowest level) The…