🔓 Access level in Planday: Administrator
🌐 Subscription plan: Plus, Pro, Enterprise. If you’re on a Plus subscription plan, Planday support must enable this feature for you to configure. Sometimes, your onboarding manager will set it up during your initial setup.
⏱️ Reading time: 5 min.
✅ Required steps: How to create and edit employees ; How to invite employees to Planday
What is SSO?
What is SSO?
Single sign-on SSO lets users use one set of login details across multiple platforms. This saves time and makes logging in easier and allows system administrators to control access to online services.
Using single sign-on will let your employees log in faster and avoid the hassle of remembering another username and password. This feature adds flexibility to the Planday login process and reduces administrative tasks in the long run.
Follow the steps below to set up SSO in Planday and start using it with your identity provider.
Supported identity providers
Planday supports, but is not limited to, the following identity providers:
Google: Google SAML Setup
Auth0: Auth0 SAML Setup
Microsoft: Microsoft SAML Setup
You will need administrator access to your identity provider to access the necessary details and set up SSO in Planday. We recommend involving your IT department (if applicable) to assist with this setup.
Your identity provider should support Security Assertion Markup Language 2.0 (SAML 2.0).
The minimum level of security encryption supported is SAML Assertion Signing Algorithm: SHA-256.
You'll need to generate a SAML metadata file from your identity provider's configuration page.
The username (email) field in Planday is used to identify the employee in your company's identity provider.
Getting started
Go to your identity provider’s website to configure SSO and generate a SAML 2.0 metadata file. You can find setup guides for each of the Planday-supported identity providers on Planday's SSO configuration page or in the links provided above.
Configure your identity provider's SAML 2.0 metadata file for Planday SSO
Make sure your SAML 2.0 metadata file is aligned with Planday's SAML 2.0 SSO entity.
Download the Planday XML file with the necessary details from this link: Planday XML File.
Details from the XML file:
Entity ID: Planday
Reply URL: https://id.planday.com/Saml2/Acs
Ensure your identity provider supports the following Claim Types for SAML response in Planday SSO:
Email AddressURI: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name IdentifierURI: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
User Principal NameURI: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Configure SSO in Planday
Click on the sections below to expand.
1. Set an authentication provider’s settings
1. Set an authentication provider’s settings
Navigate to Settings > Security > Single sign-on (SSO), select one of the supported identity providers, and click Configure.
Note: If you do not see the Single sign-on option in Planday, you need to have Planday support enable this feature for you. Please contact us so we can activate it for you.
Continue setting up by giving a title to identify this authentication provider configuration. This title will only be visible in the configuration menu for admins managing it.
Next, add a label to the button that will appear on the login screen of your Planday organisation (for example Sign in with Microsoft). On the right side, you will see a preview of the button.
Enabling Set as default for login will automatically assign this authentication provider for new employees when they are created in Planday.
Note: This setting will not apply for employees created through the bulk upload (excel template). You will have to set this for each employee in People > Employees > Edit employee.
2. Upload SAML metadata file
2. Upload SAML metadata file
To connect Planday with your identity provider, upload a SAML Identity Provider Metadata file or import it using a link.
3. Assign existing employees
3. Assign existing employees
Finally, choose the employees who should use the authentication provider to log in to Planday.
Click Save in the top right corner.
4. Create new employees and set authentication provider
4. Create new employees and set authentication provider
If the checkbox Set as default for login is not selected, you can choose how employees should log in when you create their accounts.
Go to People > Employees > Create employee > Create one employee. Fill out the employee form and specify the authentication provider.
Press (X) to remove the authentication if the employee should use a username and password to log into Planday. Remember to send an invite email so the employee can set their password in this case.
5. Change or update an employee’s login method
5. Change or update an employee’s login method
You can change an employee's authentication provider from the People > Employees page. Click on the employee and update the SSO Authentication provider field. If the employee should log in with a Planday username and password, select None. Remember to send an invite email so the employee can set their password in this case.
6. Log in to Planday with SSO
6. Log in to Planday with SSO
When the SSO configuration is completed and enabled, your employees will see a new button to log in through the identity provider on the login screen.
Employees assigned to use the identity provider authentication method can click on the new button (e.g. Sign in with Microsoft).
Employees that do not have an SSO assigned can continue to use the username/password method to login.
Note: Access to Planday depends on the session settings configured in your identity provider.
More info
What employees see when SSO is enabled
What employees see when SSO is enabled
When SSO is enabled, employees will see an additional login option to use SSO, along with their regular username and password, both on the browser and the Planday app.
How to deactivate employees while using SSO
How to deactivate employees while using SSO
When employees should no longer have access to Planday, make sure to deactivate them in both Planday and your company’s identity provider.
If you only deactivate them in the identity provider, they might still be able to access Planday for a few hours due to active sessions. See How to deactivate or reactivate an employee to learn more.
ℹ️ Need more help?
🔍 Search the Help Center | See videos at Tutorials.Planday.com | Watch a webinar
💬 For personalised support
Login and contact our support team via the blue icon at the bottom if you have more questions or book a one-to-one professional training session with an expert.