Single Sign on security enhancement

We got a requirement recently to limit access to single sign-on setting. At the moment all administrators are able to deactivate this for themselves at any given moment and effectively skip all security controls. We believe that not all admins should be able to do this. In companies which have more builders (for example 25) you may find some 'regular' developers who are just building their models and some people who are also responsible for overall governance (COE team). I'd suggest that SSO should be changed at Tenant administrator level as only limited amount of admins have access to it and it could be easily controlled there. We are not even able to see in history who and when did the change (it appears under blank model change) so the only way to control it is to export Users tab every day to keep track on all changes, which is quite tedious process. Moreover, currently administrator can turn SSO off for himself which should not be possible at all. I suggest it works exactly the same way as administrator (admin can't revoke his admin privileges and needs another admin to do this) so additional person will be needed to do that action. It should slightly increase SSO security.
14 votes

In Review · Last Updated


  • Miran
    Status changed to: In Review
  • Hi Matthias, you might want to look at a similar post from Ernie_Goff

    and add Kudos to this to try and help it gain enough support to be picked up by the Anaplan development team.

    Cheers, Andrew.

  • Status changed to: In Review
  • VickiA

    Thank you for your idea submission. After careful review with our internal product teams on your idea, we have unfortunately decided this does not fit on our roadmap. We understand this can be frustrating. We appreciate you taking the time to submit your suggestions, and encourage you to continue to do so in the future. If you have any concerns, don't hesitate to reach out to the Anaplan Team through here or

  • We plan to enhance the Tenant Administration Self Service SAML feature to include the ability to assign exception users (users that can bypass SSO).  Only Tenant Security Administrators would have the authorization to apply this setting and it means that WSA's can no longer have that control. 

Get Started with Idea Exchange

See our Submission Guidelines and Idea Evaluation Criteria, then start posting your own ideas and showing support for others!