Skip to content
Plain Help Center home
Plain Help Center home

Single sign-on (SSO) and Directory sync

You can configure SSO and Directory sync from within Plain at Settings -> SSO.

We use our WorkOS to power our authentication, SSO and Directory sync functionality. You can read their documentation on how to integrate your specific authentication provider: https://workos.com/docs/integrations

SSO and Directory sync are only available to our Frontier plans

Single sign-on (SSO)

Single Sign-On (SSO) makes it easy and secure for your team to access Plain using the same identity provider (IdP) you use for the rest of your company tools such as Okta, Azure AD, Google Workspace, or OneLogin.2

After verifying you own the domain (see below), you can configure SSO from the Settings -> SSO -> SSO configuration section.

Unless you have Directory sync mapping users to specific roles within Plain, any newly created users from SSO will have a 'None' role and appear in the Others tab of your users list. This ensures you do not incur additional charges for the seat. You can upgrade their role by finding them in the Others list and changing their role from there.

Domain Verification

We require domain verification before enabling SSO. This is a security requirement because choice of your authentication may not enforce email verification so without domain verification a malicious individual could tell Plain they are john@acme.com without actually being the owner of the john@acme.com email address.

You can prove ownership of your domain by going to Settings -> SSO -> Domain verification. This will take you to WorkOS where you will complete the verification there.

Directory sync

Also commonly known as System for Cross-domain Identity Management (SCIM)

Directory sync automates how users are created, updated, and removed in Plain. Instead of manually inviting teammates or disabling accounts when someone leaves your company, Plain syncs directly with your identity provider to keep access up to date automatically. You can map roles within your identity provider to roles within Plain for even easier onboarding.

You can prove ownership of your domain by going to Settings -> SSO -> Directory sync. This will take you to WorkOS where you will complete integration there.

Powered by Plain