Ability of supporting different unique identifier (NameID) for SAML authentication

AnaplanIdeas
AnaplanIdeas
in Security and Tenant Administration Ideas

Description:

Ability of supporting different unique identifier (NameID) for SAML authentication.

Example of enhancement:
Customer can set the unique identifier while configuring SAML for Anaplan.

Benefit/impact:
Some organisations have a unique identifier that is different from the email address as the email address can change for different reasons.
Currently, when there is a change to the preferred name in Workday for example, it changes the email address (NameID) for SSO and as a result the SSO stops working because Anaplan uses email as unique identifier.

Tagged:
6
6 votes

Delivered · Last Updated

Comments

  • Rebecca
    Rebecca
    Status changed to: Delivered
  • angelah
    angelah

    We would really want to change the unique identifier in Anaplan to be something other than the email address for all users, not just for SAML authentication. Otherwise if a user email address changes, which can happen for various reasons, the user has to be reset up again in Anaplan.

  • robmoser
    robmoser

    Email address as a NameID has been deprecated in SAML since SAML 2.0 was released... in 2005.  And for very good reasons of user management.  Come join us in the 21st century!

  • Gwen.pryor
    Gwen.pryor
    Status changed to: Delivered
  • OlivierG
    OlivierG

    Hi,

    I have an important client who signed with Anaplan on the basis of an authentication based on the employee ID, not on the email address. With this client, all editors (Workdate, Microsoft, ...) use the employee ID for the SSO. Some publishers have had to make changes to their product in order to meet this requirement. For our part, is any change planned for this year?

  • connie.j
    connie.j

    This is available as part of our new Self Service SAML feature released earlier this year.  Within the next few months, we will be migrating customers using Anaplan's existing SSO Server to the new Self Service SAML framework.  Once migrated, customers may use attributes other than the email address in the Name_ID format, as long as they indicate where in the SAML response the customers' email address is located.  We still require this attribute to properly map that user to our record of that user in our tables.

  • david.savarin
    david.savarin

    How does using a unique ID different from email address will work with the condition that requires "this attribute to properly map that user to our record of that user in our tables." ?

     

    To my knowledge anaplan id format is always an email address

  • connie.j
    connie.j

    Hi David:  this unique ID is an option in the SAML configuration where customers can send the unique ID in the SAML response as long as they include the user's email address somewhere in that response.  Anaplan will consume the SAML response and extract the user's email address to identify that user in our own data store.   Certain customers want to use something other than email address in the NAMEID Format section of the SAML configuration, which we support, again, as long as they specify where in the SAML response the email address is located.

Get Started with Idea Exchange


See our Submission Guidelines and Idea Evaluation Criteria, then start posting your own ideas and showing support for others!



Categories