Skip to main content
Plan: Plane One, Plane Pro
Plane One enables custom SSO via any identity provider with an official and supported implementation of SAML standards. This page cites examples from Okta, but we will soon publish provider-specific instructions in phases.

SAML

You will need to configure values on your IdP first and then on Plane later.
domain.tld is the domain that you have hosted your Plane app on.

On your preferred IdP

Create a Plane client or application per your IdP’s documentation and configure ↓.
ConfigValue
Entity ID

Metadata that identifies Plane as an authorized service on your IdP		http(s)://domain.tld/auth/saml/
ACS URL

Assertion Consumer service that your IdP will redirect to after successful authentication by a user

This is roughly the counterpart of the Callback URL in SAML set-ups.		http(s)://domain.tld/auth/saml/callback/

Plane supports HTTP-POST bindings.
SLS URL

Single Logout Service that your IdP will recognize to end a Plane session when a user logs out

This is roughly the counterpart of the Logout URL in SAML set-ups.		http(s)://domain.tld/auth/saml/logout/
When setting these values up on the IdP, it’s important to remember Plane does not need to provide a signing certificate like other service providers.

Let your IdP identify your users on Plane.

ConfigValue
Name ID formatemailAddress

By default, your IdP should send back a username, but Plane recognizes email addresses as the username. Set the value to the above so Plane recognizes the user correctly.

Set additional attribute values.

By default, your IdP will send the value listed under Property. You have to map it to the SAML attribute Plane recognizes.
Default property valuePlane SAML attribute
user.firstNamefirst_name
user.lastNamelast_name
user.emailemail
Depending on your IdP, you will have to find both the Name ID format and the three other user identification properties on different screens. Please refer to your IdP’s documentation when configuring these up on your IdP. Additionally, you may have to configure the IdP to sign assertions. Irrespective of that, you have to copy the signing certificate from the IdP.

On Plane

SAML Configuration
You will find all of the values for the fields below in the /metadata endpoint your IdP generates for the Plane app or client.
  • Copy the ENTITY_ID for the Plane client or app you just created over from your IdP and paste it in the field for it.
  • Copy the SSO URL for the Plane client or app from your IdP and paste it in the field for it. This will bring up the IdP’s authentication screen for your users.
    SSO URL
  • Copy the SLS URL for the Plane client or app from your IdP and paste it in the Logout URL field on Plane’s /god-mode/authentication/saml/.
  • Add the name of the IdP that you want to show on your Plane instance’s log-in or sign-up screens.
    Log-in Screen
  • Finally, paste the signing certificate from your IdP that you got in the last step of setting up your Plane client or app on your IdP above and paste it in the field for it.