Planhat supports SSO via the SAML 2.0 standard, the standard used by most leading SSO applications including ADFS, Azure AD and OKTA.
How to Setup Single Sign-On
To setup Single Sign-On please follow the instructions below.
- Create a new SAML 2.0 app integration in your SSO tool. (If you are using ADFS, see below)
- When you're asked for the SSO URL, assertion URL or callback URL enter: https://api-(cluster i.e. us2).planhat.com/samlassert/[Company name].
- When asked for audience URL or SP entity id enter: https://api-(cluster i.e. us2).planhat.com/samlmetadata/[Company name].
- Create an attribute nameID which will contain the user's email.
- Access the Single Sign-On application in Planhat by following the instructions above. Then Submit the Issuer, Entry Point and the identity provider's public PEM-encoded X.509 signing certificate details.
How to Access Single Sign-On
In the bottom left hand corner of the Planhat application click on your avatar, from the menu that will appear to the left, select "Security".
The image below is displaying the Single Sign-On page in Planhat where you need to enter these details.
Single Sign-On Setup via Active Directory Federation Services (ADFS)
Those using Windows Server will need to create a Relying Party Trust. To create a Relying Party Trust you need to do the following in your ADFS admin panel.
- Click "Add new relying party trust".
- Choose "Enter data about relying party manually".
- Choose "ADFS profile".
- Choose "Enable support for SAML 2.0" and enter: https://api.planhat.com/samlassert/[Company name]
- Add https://api.planhat.com/samlmetadata/[Company name] as relying party trust.
- Create attribute nameID which will contain user email.
- Submit issuer (your_org), entry point (https://[adfs_subdomain],[your_org_domain]/adfs/ls/) and public certificate on this page.
📌 Important to note: create a "User access URL" so your users don't have to login again. If you don't want your users to have to login every day then we recommend you provide a "User Access URL", which is a URL to your AD that will automatically log them into Planhat, this way, if a session expires we can redirect them to this URL and their session will automatically be renewed.
Important things you should know about Single Sign-On
- If the SSO integration is active (turned on), other sign in methods won't work.
- Planhat SSO expects that users have already been created in Planhat. It will not automatically create new users.
- Users or groups have to be assigned to the SAML application on the identity provider's side to be able to use SSO.
- If a person signs into Planhat via SSO, then logs out from Planhat they will not be automatically logged out from their identity provider.
- We only support one SSO per tenant.
- On the "Security" page in Planhat you will see a field called "Session length (days) *". The value that you enter into that field determines how long your SSO token is valid for. As soon as the session length ends you will be logged out of Planhat.
- Once set-up, you should see Planhat in your SSO "app library" and it should already be working, all your users need to do is open this page and click the Planhat icon to get logged in. By default sessions will last 1 days after which the user needs to re-login.