After the P4 AS (HAS) is installed and working correctly, an administrator needs to configure single sign-on in the P4 Plan Server Administrator.
Keep the following in mind:
- You must use a version of the P4 Plan server that supports integration with HAS. P4 Plan 11.0041 and later are supported.
- The identity provider and HAS must be installed, configured, and running before using SSO in P4 Plan. This also includes adding certificates on the P4 Plan server so P4 Plan can be a client to HAS. See Installing the P4 AS for single sign-on and Configuring certificates for single sign-on on the P4 Plan server.
- The user email address from the identity provider is used to map to a user in P4 Plan. If the same email address is set for multiple P4 Plan users, the wrong users may be mapped. If multiple users have the same email address, you may need to change email address in each system for single sign-on to work.
- SSO settings apply to all databases on the P4 Plan server you are logged in to.
- Review and adjust SSO settings if you share users between multiple P4 Plan servers. For example, you have two P4 Plan servers (ServerA and ServerB). A user is shared from ServerA to ServerB. ServerA is configured to only allow login using SSO. You must also allow login using SSO on ServerB or the user will not be able to log in to the server.
1. In the P4 Plan Server Administrator, click SSO options under Server settings.
The SSO options dialog box opens.
2. Select Enable P4 AS to enable communication with HAS for SSO.
3. Enter the P4 AS URL, including the port that the service is running on.
This is the SVC_BASE_URI value in the HAS .env file. It can be an http or https URL and must include the port number. For example, https://has.mycompany.com:3000.
4. Select a Login option.
- Use SSO login only lets users log in with SSO only. If this option is selected, users can only log in through the identity provider and not with their P4 Plan or LDAP username and password.
- Allow password or SSO login lets users log in using either SSO or their P4 Plan or LDAP username and password.
5. Optionally enter an Email mapping override if user email addresses in the identity provider are not using the default fields, which are loginID (SAML) or email (OIDC) fields.
For example, if the email address in a field named signin in the identity provider, P4 Plan does not recognize the field to map the user email address from the identity provider to P4 Plan. In this case, you need to enter signin in the Email mapping override field. If the integration is not working, you can enter any value in this field and then attempt to log in to the P4 Plan client with SSO. The login will not be successful, but you can then review the P4 Plan server log to see all fields in the response from HAS and find the correct field name.
6. Click OK to save the changes.
7. Log in to the P4 Plan client to make sure SSO works correctly.