Planhat supports SSO via the SAML 2.0 standard, the standard used by most leading SSO applications including ADFS, Azure AD and OKTA.
How to Access Single Sign-On
In the bottom left hand corner of the Planhat application click on your avatar, from the menu that will appear to the right, select "Integrations" then select "Single Sign-On".
How to Setup Single Sign-On
To setup Single Sign-On please follow the instructions below.
- Create a new SAML 2.0 app integration in your SSO tool. (If you are using ADFS, see below)
- When you're asked for the SSO URL, assertion URL or callback URL enter: https://api.planhat.com/samlassert/[Company name].
- When asked for audience URL or SP entity id enter: https://api.planhat.com/samlmetadata/[Company name].
- Create an attribute nameID which will contain the user's email.
- Access the Single Sign-On application in Planhat by following the instructions above. Then Submit the Issuer, Entry Point and the identity provider's public PEM-encoded X.509 signing certificate details.
The image below is displaying the Single Sign-On page in Planhat where you need to enter these details.
Single Sign-On Setup via Active Directory Federation Services (ADFS)
Those using Windows Server will need to create a Relying Party Trust. To create a Relying Party Trust you need to do the following in your ADFS admin panel.
- Click "Add new relying party trust".
- Choose "Enter data about relying party manually".
- Choose "ADFS profile".
- Choose "Enable support for SAML 2.0" and enter: https://api.planhat.com/samlassert/[Company name]
- Add https://api.planhat.com/samlmetadata/[Company name] as relying party trust.
- Create attribute nameID which will contain user email.
- Submit issuer (your_org), entry point (https://[adfs_subdomain],[your_org_domain]/adfs/ls/) and public certificate on this page.
Important things you should know about Single Sign-On
- If the SSO integration is active (turned on), other sign in methods won't work.
- Planhat SSO expects that users have already been created in Planhat. It will not automatically create new users.
- Users or groups have to be assigned to the SAML application on the identity provider's side to be able to use SSO.
- If a person signs into Planhat via SSO, then logs out from Planhat they will not be automatically logged out from their identity provider.
- We only support one SSO per tenant.
- The Planhat token for SSO is valid for 1 day.