Start using Single Sign-On (SSO) to allow your employees to log in to Planday with your company's identity provider. Single Sign-On is a system that allows users to use a single set of login credentials in more than one place. This frees up time and reduces hassle in the long run, as your employees will be able to log in faster and know more about how their information is used.
Complete the SSO configuration in Planday by following the steps below, and start getting the most out of using Planday together with your identity provider.tT
Supported identity providers
Your identity provider should support Security Assertion Markup Language 2.0 (SAML 2.0) and you will need to be able to generate a SAML metadata file from your identity provider's configuration page. The username (email) field in Planday is used to identify the employee in your company's identity provider.
Planday supports, but is not limited to the following identity providers:
- Google: https://support.google.com/a/answer/6087519
- Auth0: https://auth0.com/docs/protocols/saml/saml2webapp-tutorial
- Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications
Start by navigating to your identity provider’s website and configure SSO and generate a SAML 2.0 metadata file. You can find links to help articles for SSO configuration for each of the Planday supported identity providers in Planday's SSO configuration page or you can find links to setup guides above.
Configure your identity provider SAML 2.0 metadata file to Planday SSO.
Before you generate your SAML 2.0 metadata file, please be sure that it’s aligned with Planday's SAML 2.0 SSO entity.
Download the Planday XML file with the details about Planday's SAML 2.0 SSO entity to see what is needed for proper SAML 2.0 authentication with your identity provider. You can download the Planday.XML file from this link: https://id.planday.com/Saml2.
Please be aware that your identity provider also needs to be set up to support the expected Claim Types for SAML response in Planday SSO listed below:
- Email AddressURI: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Name IdentifierURI: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- User Principal NameURI: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Configure SSO in Planday
1) Authentication provider settings
Navigate to Settings > Security > Single Sign-On (SSO), select one of the supported identify providers, and click Configure.
Continue the configuration by adding a title to identify this configured authentication provider. The title is only visible in this configuration menu for admins who want to manage it.
Next, add a label to the button that will be displayed on the login screen of your Planday portal (e.g. Sign in with Microsoft). On the right side, you’ll see a button preview.
By enabling "Set as default for login", new employees will automatically be assigned to use the authentication provider for login when they are created in Planday.
NOTE: This will not apply for Employees created through the bulk upload (excel template). You will have to set this for each employee in People > Employees > Edit employee.
2) Upload SAML metadata file
To configure Planday to connect with your identity provider you'll need to upload a SAML Identity Provider Metadata file or import the file by using a link.
You can use the link on the right side to "Learn more about how to generate the metadata file.
3) Assign existing employees
Finally, select and assign the employees that should log in to Planday with the authentication provider.
Click Save in the top right corner.
4) Create new employees and set authentication provider
If the checkbox Set as default for login is not marked, you can specify how employees should log in from the Create employee form.
Navigate to People > Employees > Create employee, fill out the fields, and specify the authentication provider. You can choose "None" if the employee should use their username and password to log into Planday. Remember to send an invite email, so the employee can set their password.
5) Change employee login
You can also change the authentication provider for an employee from the People > Employee section. Click on the user and update the SSO Authentication provider field. If the employee should log in with a Planday username and password, simply select "None". Remember to send an invite email, so the employee can set their password if needed.
6) Log in to Planday with SSO
When the SSO configuration is completed, you will see a new button to log in through the identity provider on the login screen. Employees assigned to use the identity provider authentication method will have to click on the new button (e.g. Sign in with Microsoft). In this case, whether they used the right login button or attempted to log in with their Planday username and password, the employee will be redirected to your identity provider for authentication. When the employee is logged in, they will be brought back to Planday.
Please be aware, that access to Planday is based on the session configuration within your identity provider.
Log in on web
Login on mobile
7) Deactivate employees
When employees should no longer have access to Planday, you have to ensure they are being deactivated in Planday, as well as in your company’s identity provider. Deactivating employees only in the identity provider will potentially allow access to Planday for up to a few hours, due to the session management of webpages.
Once set up, the single sign-on authentication method will allow your employees to log in faster and reduce the hassle of having to remember yet another username and password. This addition to the Planday login will give you the flexibility to cater to each employee's wishes and, in the long run, will give one less admin issue to worry about.