Ability of supporting different unique identifier (NameID) for SAML authentication

Ability of supporting different unique identifier (NameID) for SAML authentication

Description:

Ability of supporting different unique identifier (NameID) for SAML authentication.

Example of enhancement:
Customer can set the unique identifier while configuring SAML for Anaplan.

Benefit/impact:
Some organisations have a unique identifier that is different from the email address as the email address can change for different reasons.
Currently, when there is a change to the preferred name in Workday for example, it changes the email address (NameID) for SSO and as a result the SSO stops working because Anaplan uses email as unique identifier.

8 Comments
Rebecca
Valued Contributor
 
Status changed to: Considered for Future Roadmap
angelah
New Contributor

We would really want to change the unique identifier in Anaplan to be something other than the email address for all users, not just for SAML authentication. Otherwise if a user email address changes, which can happen for various reasons, the user has to be reset up again in Anaplan.

robmoser
Not applicable

Email address as a NameID has been deprecated in SAML since SAML 2.0 was released... in 2005.  And for very good reasons of user management.  Come join us in the 21st century!

Gwen.pryor
Regular Contributor
 
Status changed to: On Roadmap
OlivierG
Occasional Contributor

Hi,

I have an important client who signed with Anaplan on the basis of an authentication based on the employee ID, not on the email address. With this client, all editors (Workdate, Microsoft, ...) use the employee ID for the SSO. Some publishers have had to make changes to their product in order to meet this requirement. For our part, is any change planned for this year?

connie.j
New Contributor

This is available as part of our new Self Service SAML feature released earlier this year.  Within the next few months, we will be migrating customers using Anaplan's existing SSO Server to the new Self Service SAML framework.  Once migrated, customers may use attributes other than the email address in the Name_ID format, as long as they indicate where in the SAML response the customers' email address is located.  We still require this attribute to properly map that user to our record of that user in our tables.

Status changed to: Delivered
david.savarin
Frequent Contributor

How does using a unique ID different from email address will work with the condition that requires "this attribute to properly map that user to our record of that user in our tables." ?

 

To my knowledge anaplan id format is always an email address

connie.j
New Contributor

Hi David:  this unique ID is an option in the SAML configuration where customers can send the unique ID in the SAML response as long as they include the user's email address somewhere in that response.  Anaplan will consume the SAML response and extract the user's email address to identify that user in our own data store.   Certain customers want to use something other than email address in the NAMEID Format section of the SAML configuration, which we support, again, as long as they specify where in the SAML response the email address is located.