Highlighted
Contributor

Re: Anaplan REST API with Cert Access: Connect to different Models

@Jared Dolich  / @Stacey_Gibbens 

 

Thank you both for replying.

 

@Stacey_Gibbens your reply seems to indicate that i can only call the APIs when using an exception account (Non SSO enabled, not certificate)  however I have to respectfully disagree with this.

 

The first process I wrote utilizing the Anaplan REST API connected to 6 separate Work-spaces (all within the same tenancy) via the CA Certs authentication mechanism (Account was SSO enabled and Workspace Admin) to execute several tasks such as Export, Process, Action, downloads etc..All without any issues. This process has been running in PROD daily for 3 months. My team also have several processes in development and testing which uploads, imports, and downloads data w. the same CA cert.

 

We have previously imported data from model to model via the API but the models where all within the same workspace.

 

This is the first time we are attempting to execute a cross workspace import via the REST APIs when connected via CA Cert.

 

So the fundamental question is:

 

Does Anaplan allow cross workspace imports when using connected via CA Certs?

Highlighted
Master Anaplanner/Community Boss

Re: Anaplan REST API with Cert Access: Connect to different Models

@damianshameer2 ,

The client I work with now uses a CA certificate and crosses multiple workspaces but they aren't using SSO but it seems to me that if you can get it to work with one workspace it should work with others within the same tenant.

 

Some suggestions for you:

  • It might be time to reach out to support@anaplan.com and get some data integration SME's to help you out.
  • You can also reach out to your Anaplan business partner - they will definitely get you the help you need.
  • I just noticed that maybe the selective access is turned on for that list. Here's the screenshot you provided. Make sure that's not holding you up. Look at Org L1.

If you do work with support, I hope you'll post the answer. I'm sure others will encounter the same issue.

 

Selective Access.png

 

 

 


Jared Dolich - Retail, Wholesale, eCommerce
Highlighted
Contributor

Re: Anaplan REST API with Cert Access: Connect to different Models

@Jared Dolich 

 

Yes, I have raised this to Support...I was told the ticket is sitting with the API team

 

Selective access is not an issue (we test several variations) 

 

Thanks,Damian

Highlighted
Community Boss

Re: Anaplan REST API with Cert Access: Connect to different Models

Does Anaplan allow cross workspace imports when using connected via CA Certs?

They are, but:

1. The API user must have single sign-on switched off (so are exception users if the workspace is SSO-enabled) in both source and target workspaces

2. The workspaces must both be associated with the same SSO server (IDP) or no SSO server.

 

The ability to access SSO workspaces at all through the v2.0 API may be restricted to exception users in the future, but that will require a period of transition.

Highlighted
Contributor

Re: Anaplan REST API with Cert Access: Connect to different Models

@ben_speight 

 

1. The API user must have single sign-on switched off (so are exception users if the workspace is SSO-enabled) in both source and target workspaces

 

attached below is a snaphot of my PROD workspace and integration account...note SSO is enabled..I have a few process running against this workspace to extract data daily without any issue

 

image.png

 

2. The workspaces must both be associated with the same SSO server (IDP) or no SSO server.

 

We have a single IdP config...I did this config for my Org and Anaplan so this is not an issue.

 

I have raised this to Anaplan Support to lets see what they say

Highlighted
Certified Master Anaplanner

Re: Anaplan REST API with Cert Access: Connect to different Models

@damianshameer2 

Well, I can't dispute your experience with running integrations using a CA cert within a single workspace.  If you say it works, then it works.  

 

However, in my experience, the integration account must not be restricted to SSO only (which is what checking the SSO box does).  I use an integration account associated with a CA certificate to run integrations across 3 production workspaces, with model-to-model, data uploads (from a warehouse extract), and data downloads (to be a data import back to the warehouse) on a nightly and intra-day cadence, and have been for years.  The caveat is that I'm using AnaplanConnect and not the REST API, but I can't imagine authentication requirements for the integration account would be different across those two methods.  That would seem cumbersome.  

 

Please do post to let everyone know what Support says.  I'd be interested to see what they say.  

 

Thanks!

Stacey Gibbens 

Highlighted
Contributor

Re: Anaplan REST API with Cert Access: Connect to different Models

@Stacey_Gibbens 

 

I will update the thread once Anaplan Support replies.

 

To be honest, having SSO disabled is a huge risk....Basically it means, as you are aware, a person can log into the workspace outside of the organization's control. I understand not all orgs will have a federated identify provider but making this a mandatory setting to do cross workspace communcation seems to be  step back.

 

 

 

Highlighted
Certified Master Anaplanner

Re: Anaplan REST API with Cert Access: Connect to different Models

@damianshameer2 

 

Did you get a reply from Support on this issue yet?  I'm curious what happened....   🙂

Highlighted
Contributor

Re: Anaplan REST API with Cert Access: Connect to different Models

Hi,

 

Yes, We have gotten a response back from Anaplan.

 

The behavior you have described was correct where SSO must be disabled at the Source Model  in order from cross workspace imports to work. SSO does not have to disabled when all the Models are within the same workspace. We have a data hub in a separate workspace so this limitation is a huge blocker for us at the present moment. 

 

There are several concerns with SSO being disabled in any workspace for my org so it was can escalated to Anaplan and we are waiting for response and remediation.

 

I will go back to the replies and accept your response.

 

Thanks for your help. 

 

 

 

 

 

Master Anaplanner/Community Boss

Re: Anaplan REST API with Cert Access: Connect to different Models

Hi @damianshameer2 

 

1. Are you able using batch@mycompany.com  user to connect normally in Anaplan and successfully launch the import action from the Target model?

2. I am a beginner in using CA Certificate, but as per my knowledge, the CA Certificate is associated to an e-mail address. Is this e-mail address the same as batch@mycompany.com