The key size you require, either 1024 or 2048 bit.
Whether you require that the AuthnRequest be digitally signed
The Anaplan login (email address) for one or more Exception Users, such as you, the Anaplan Administrator.
Optionally, a SAML Logout URL. The default behavior is that when an end-user logs out of Anaplan, that end-user is redirected to a static single sign-on page from which the end-user can log in to Anaplan using the friendly URL. The Anaplan administrator has the option of specifying a SAML Logout URL, which causes the end-user log-out action to also log out that end-user from the SAML the identity provider (IdP).
As soon as Anaplan Support establishes a test workspace for SAML SSO, the standard login mechanism of entering a username and password at the Anaplan URL returns only the workspaces for which SSO is not enabled. An Exception User, however, CAN still log in to Anaplan at the Anaplan URL, https://sdp.anaplan.com/frontdoor/login, using their username and password and access workspaces for which SSO is enabled. This is useful in case SSO access from the Friendly URL is not working properly.
Make sure the SAML attribute NameID is configured to be sent across to Anaplan and matches the same email address as registered on Anaplan. Format as below:
Configure your IdP by applying the data in the meta-data file to register the Anaplan service provider (SP). How the IdP consumes this metadata is product-specific. The requirements for successful testing are:
The Anaplan SSO server has been configured correctly:
At least one workspace is associated to the SSO server
The user accessing through single sign-on has been associated with that SSO workspace
The Client IdP has consumed the metadata and the metadata provided is correct
The SAML assertions being passed from the IdP are known standards and therefore can be validated by the SP
That the SAML attribute nameid has been configured correctly as the Anaplan associated email address
If using ADFS, the relevant Claim Rules have been configured. Anaplan Support can supply these on request.
A successful connection results in the display of the model tiles in the workspace(s) for which the user has SSO access. If no workspaces are visible for a user, this might be the result of incorrect workspace access for that user.
Test SAML connectivity with the TEST workspace that Anaplan Support provided you by using one or two customer key users.
You can use pre-production IdP URLs and pre-production certificates.
If you also require your own pre-production or proof-of-concept workspace to test connectivity, contact Anaplan.
SSO for Production Workspace
When connectivity with the TEST workspace has been tested successfully and you are ready to move forward, request that Anaplan Support change your workspace from pre-production to production certificates and URLs, and migrate your PRODUCTION workspace to the SAML service.