SAML SSO
Plan: Plane One, Plane Pro
Plane One enables custom SSO via any identity provider with an official and supported implementation of SAML standards. This page uses Okta as an example, but provider-specific instructions will be published in phases.
SAML
You will need to configure values on your IdP first, then on Plane.
domain.tld is the domain where your Plane app is hosted.
On your preferred IdP
Create a Plane client or application per your IdP's documentation and configure as follows:
| Config | Description | Value |
|---|---|---|
| Entity ID | Metadata that identifies Plane as an authorized service on your IdP | http(s)://domain.tld/auth/oidc/ |
| ACS URL | Assertion Consumer Service that your IdP will redirect to after successful authentication by a user. This is similar to the Callback URL in OIDC setups. | http(s)://domain.tld/auth/oidc/callback/ Plane supports HTTP-POST bindings. |
| SLS URL | Single Logout Service that your IdP will recognize to end a Plane session when a user logs out. This is similar to the Logout URL in OIDC setups. | http(s)://domain.tld/auth/oidc/logout/ |
When setting these values up on the IdP, Plane does not need to provide a signing certificate like other service providers.
Let your IdP identify your users on Plane
| Config | Value |
|---|---|
| Name ID format | emailAddress By default, your IdP should send back a username, but Plane recognizes email addresses as the username. Set the value to the above so Plane recognizes the user correctly. |
Set additional attribute values
By default, your IdP will send the value listed under Property. You have to map it
to the SAML attribute Plane recognizes.
| Default property value | Plane SAML attribute |
|---|---|
user.firstName | first_name |
user.lastName | last_name |
user.email |
Depending on your IdP, you will have to find both the Name ID format and the three
other user identification properties on different screens. Please refer to your IdP's
documentation when configuring these. You may also need to configure the IdP to sign
assertions. Regardless, copy the signing certificate from the IdP.
On Plane
You will find all of the values for the fields below in the /metadata endpoint your
IdP generates for the Plane app or client.
- Copy the
ENTITY_IDfor the Plane client or app you just created from your IdP and paste it in the field for it. - Copy the
SSO URLfor the Plane client or app from your IdP and paste it in the field for it. This will bring up the IdP's authentication screen for your users.
- Copy the
SLS URLfor the Plane client or app from your IdP and paste it in theLogout URLfield on Plane's/god-mode/authentication/saml/. - Add the name of the IdP that you want to show on your Plane instance's log-in or sign-up screens.
- Finally, paste the signing certificate from your IdP that you got in the last step of setting up your Plane client or app on your IdP above and paste it in the field for it.