You can connect your Single Sign-On provider with Planhat to run your authentication process, making access control easier and more secure.

We utilise the SAML 2.0 standard with the following providers:

  • Okta

  • Azure AD

  • GSuite

  • ADFS

  • Custom SSO

Across these, we support both Service Provider (SP) initiated (i.e., when you can log-in from Planhat's login page) and Identity Provider (IdP) initiated flows (i.e., when you log-in from your internal SSO directory/app). There is a setting in set-up to control whether to only use IdP or both.

How do I set it up?

First, a Planhat Admin (eg, your CSM) must enable SSO for your account. Once that is done, you manage SSO via Settings > Security page > Log-in Method.

There are many similarities across the different providers, but because there are also slight differences we suggest you visit one of the dedicated pages below to read on how to set it up. What's common across is that you need someone from your organisation with Admin Access in the SSO provider application.

  • Azure AD

  • ADFS

  • Okta (read instructions in-app at Settings > Security > Log-in method)

  • GSuite (read instructions in-app at Settings > Security > Log-in method)

  • Custom SSO (read instructions in-app at Settings > Security > Log-in method)

How does it work when set-up?

Users can now log in by authentication through the SSO provider. You can not (yet) create users via SSO, so each user who tries to log-in must first be created as a user in Planhat.

Access management

  • If the SSO integration is active (turned on), other sign in methods won't work (except for a specified set of users).

  • Users or groups have to be assigned to the SAML application on the identity provider's side to be able to use SSO.

  • We only support one SSO per tenant.

Logging in and Sessions

  • Once set-up, you should see Planhat in your SSO "app library" and it should already be working - all your users need to do is open this page and click the Planhat icon to get logged in. By default sessions will last 1 days after which the user needs to re-login.

  • For SP-initiated, there is a button on Planhat's main log-in page

  • On the "Security" page in Planhat you will see a field called "Session length (days) *". The value that you enter into that field determines how long your SSO token is valid for. As soon as the session length ends you will be logged out of Planhat.

  • You can also choose to set a "Time-based log-out" if that is more convenient than the Session Length (which sometimes means users get logged out in the middle of the day)

  • If a person signs into Planhat via SSO, then logs out from Planhat they will not be automatically logged out from their identity provider.

Did this answer your question?