Anaplan API — If SSO is disabled do CA Certs really help that much?
I'm working on developing some best practices for our organization surrounding Anaplan API connections. I know Anaplan recommends using a CA Cert when connecting with the API, but I'm not able to find much guidance from Anaplan regarding API connections and SSO. I did find this thread where most users seem to be under the impression that SSO must be disabled to access the API, although one user claims to be able to connect via the API while SSO is enabled with limited ability to communicate between models in different workspaces.
I understand why API connections using CA Certs are more secure. However, if SSO is disabled and anyone can log in to the user's account with a username/password — it seems that most of the risk with disabling SSO isn't mitigated by connecting with a CA Cert.
As far as I know if you are moving data across models but within a workspace you can have SSO enabled but if it is across workspaces then the API user has to be exception user (Non SSO enabled). Version 2.0 API will cater to the need of not having SSO enabled API user while doing integration across workspaces.
On benefits of CA certificate I will let @ben_speight take charge
The only way you will get data in and out of Anaplan with a certificate is when SSO is turned off (exception user).
The biggest benefit of a CA certificate is security. You don't have to save passwords, you don't have to reset the password, etc.. Very safe way to move data around and is best practice when it comes to data integration.
I think the CA certificates are rather inexpensive too. here's a whole list of them that will work.
@ben_speight is the expert though. He may have other perspectives.