Introduction
Pre-requisite
To be able to access the ‘Customization’ feature, you must have ‘Access Customizations’ User Permission.
Navigation
Settings > Customization
Advantages of SSO
- You use and store their username and password for many websites with a single, secure and trusted identity provider.
- It takes less time for you to log into a new website. The identity provider’s username and password are all you need, instead of having to sign up with your name and contact details from scratch and verify your email.
- You know what information is being shared.
- You only have to remember one username and password to access many websites.
Select the following as required:
Auto redirect to SSO login page

Click to select the checkbox to bypass the Plutora login page and always redirect the user to the SSO Login URL.
If Auto redirect to SSO login page is selected but the Logout URL is not set, when users log out of Plutora or Plutora Test, they will be immediately logged back in again.
Use SAML Request
Click to select the checkbox to use the SAML settings on this page:
If the Auto redirect to SSO login page checkbox is not selected, but Use SAML Request checkbox is selected, users will be directed to the Plutora login page, where they can click the SSO Login button.
If the Use SAML Request checkbox is unselected, the system will attempt to log in via a pre-configured WS-Federation module and will fail.
Combined Issuer
Click to select the checkbox to enable SSO credentials for both Plutora and Plutora Test:
When enabled: The authentication request Issuer will be https://idp-{region}.plutora.com and the AssertionConsumerServiceUrl will be https://idp-{region}.plutora.com/api/Login/ExternalLoginResponse. This will allow customers to use SSO with Plutora and Plutora Test, provided they have updated their SSO server settings.
When disabled: The authentication request Issuer will be the site making the request – either https://{subdomain}.plutora.com or https://{subdomain}.plutoratest.com and the AssertionConsumerServiceUrl will also be the site making the request – either https://{subdomain}.plutora.com or https://{subdomain}.plutoratest.com. This will allow customers to continue to use SSO with Plutora without changing their SSO server settings.
If they add https://{subdomain}.plutoratest.com with the right settings to their SSO server, they will also be able to use Plutora Test (however this isn’t the intention. the intention is that they should enable the option and update their SSO server settings to handle the new Issuer above).
Sign Login Request
If selected, the authentication request to the SSO server will be signed with Plutora’s private key.
Customers should download the public certificate and use it on their SSO server to validate the signature in the login request.
If selected, the authentication request will be made using a POST method, otherwise, it will be made using a GET method.
Validate Login Response
- If selected, upon receiving an authentication response from the customer’s SSO server, the Plutora authentication system will check the signature in the response and validate it using the “Response Validation Certificate” setting below.
- If the response is not signed, the authentication will fail. If the response is signed but the signature is invalid, the authentication will fail.
- Validate Login Response checkbox should be selected. If left unselected, an unauthorized user could forge an authentication response and gain access
Click to save your changes.
If you click away from the Customization page without clicking Submit, your changes will not save.
User Role SAML Assertion Examples
User Roles can be set via SSO. Plutora will attempt to match User Roles to the ones on file. If no match is found, new users will be given the SSO Requestor Role and existing users will keep the roles that they already have.
Any of the following Name values can be used:
- UserRoles.
- Roles.
- UserGroups.
- Groups.
Single Attribute with Single AttributeValue
The AttributeValue can be comma-separated to add multiple roles to a user.
...
Role Name
...
Multiple Attribute with Single AttributeValue
...
Role Name #1
Role Name #2
...
Single Attribute with Multiple AttributeValue
...
Role Name #1
Role Name #2
...
Portfolio Association for SSO Users Examples
You can set the user Portfolio Associations via SSO. Plutora will attempt to match Portfolio Association to the ones listed in the SAML response.
If the Portfolio Association attribute in the SAML response is left empty or if the Portfolio Association listed in the SAML response does not match any existing Portfolio Association in Plutora, Plutora will assign the top-level Portfolio Association to the new users but will not make any updates to existing users so this can be managed within Plutora’s user management.
Any of the following Name values can be used:
- Organization
- Organisation
- PortfolioAssociation
- Portfolio Association
- Portfolio
Single Attribute with Single AttributeValue
Only one AttributeValue can be used to set Organization for user.
...
Organization Name
...
Enable Two-Factor Authentication
See Enable Two-Factor Authentication in Setting Up Two-Factor Authentication.
How Plutora AD (SAML) Integration SSO works
If your company is set up for SSO, you will be directed to your company’s SSO page and back to Plutora when you log in.
Plutora supports the SAML 2.0 protocol and works with major SAML providers such as ADFS and Ping Federate.
See this industry-standard example of a SAML AuthNRequest here.
Logging into Plutora with SAML 2.0 Assertion SSO involves the following steps:
- A user (who is not logged into Plutora) makes a request to https://<>.plutora.com.
The user might be following a bookmark, clicking on a page link in an email or allowing their browser to autocomplete the URL. - Plutora.com redirects the user to their SAML Identity Provider.
To redirect the user, Plutora.com:- Detects that user lacks a session cookie and needs to authenticate.
- Detects the user’s organization from their subdomain. For example, Home is the organization in http://home.plutora.com.
- Sends a SAML Request and HTTP parameter (called RelayState and containing the user’s requested resource location, for example, a particular page in <>) to the Identity Provider over SAML Protocol.
- The user authenticates (logs in) using their Identity Provider:
- The Identity Provider performs the authentication, giving the customer complete control over the authentication process.
- A variety of popular techniques may be used, such as LDAP, a web access management system, Integrated Windows Authentication, or a 2factor system such as SecurID.
- Once authenticated, the Identity Provider sends a SAML assertion response back to plutora.com through the user’s browser.
- Plutora.com processes the SAML assertion and logs the user in.
The digital signature applied to the SAML Response verifies that the message is from the customer, at which point the user is authenticated. The user is granted a session cookie and redirected to their originally requested page.
What Plutora needs from the customer
SAML Request Assertion
An example SAML Request Assertion that will come from Plutora will look like this:
[PlutoraDomain]
SAML Response Assertion
The SAML Response Assertion should look like this:
[email address]
Additional Attributes
Customers should send their exact given name and surname as Attributes with the attribute names being ‘Given-name’ and ‘Surname’. These are not standard SAML attributes and will need to be added as custom attributes on the IdP system (see your IdP support documentation for how to address this).
The following attribute Names (case insensitive) can be used to set User Roles:
- UserRoles.
- Roles.
- UserGroups.
- Groups.
Plutora will attempt to match User Roles to the ones on file. If no match is found, new users will be given the SSO Requestor Role and existing users will keep the roles that they already have
Example SAML Response
[issuer url]
aB9QdcKpwowV7/fwK+/iZDcOfh4enzccUSvBs0mFtcs=
AoiHDNAkcWGKh4aPPW+krGLXgFXQ7MH9OJ/cPbDhyS6RAHyGWn7XTZBNXgNSMu84ICjawQ6EqG93 IHxMlG2j45BGw26pju1gAn5F7v/ZWUCbAldsUnm06Nu5nMdJSb4GbnfiCpp44DJ8KQTwrFPrst6E mvHqAx+FZfLcSxPyFhp9UlVMX+aV8mZNr9emsE4OngPMXjAlgbCHC+r9dfxDLQ1N2JMmdTAVJLha 0hA0+dHcwt+jCbId+h2ahlbqXKztzfvfxMIZjAUxdJSMgWf7H1ExEqLx4J12olD1nSMlq5Hk2M7/ zpGz/RCeOFUeaF0SgfxBO1v3rlB7PMk41AYb6Q==
[issuer url]
[EmailAddress]
Plutora
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
[FirstName]
[Surname]