Skip to content
Plain Help Center home
Plain Help Center home

Single sign-on (SSO) and Directory sync (SCIM)

You can configure SSO and Directory sync from within Plain at Settings -> SSO.

We use our WorkOS to power our authentication, SSO and Directory sync functionality. You can read their documentation on how to integrate your specific authentication provider: https://workos.com/docs/integrations

SSO and Directory sync are only available to our Frontier plans

Single sign-on (SSO)

Single Sign-On (SSO) makes it easy and secure for your team to access Plain using the same identity provider (IdP) you use for the rest of your company tools such as Okta, Azure AD, Google Workspace, or OneLogin.

After verifying you own the domain (see below), you can configure SSO from the Settings -> SSO -> SSO configuration section.

Once SSO is enabled for your workspace, it will become the required authentication mechanism for all users in your workspace. If need to allow other authentication methods, please get in touch with us

Domain Verification

This is a security requirement. Some authentication providers do not enforce email verification, meaning a malicious individual could attempt to claim an email such as john@acme.com without actually owning that address.

You can prove ownership of your domain by going to Settings -> SSO -> Domain verification. This will redirect you to WorkOS where you will complete the verification process.

Directory sync (SCIM)

Directory sync automates how users are created, updated, and removed in Plain.

Instead of manually inviting teammates or disabling accounts when someone leaves your company, Plain syncs directly with your identity provider to keep access up to date automatically. You can map roles within your identity provider to roles within Plain for even easier onboarding.

You can configure Directory sync by going to Settings -> SSO -> Directory sync. This will take you to WorkOS where you will complete integration there.

Role assignment

If a user is provisioned via SSO or SCIM and no IdP or Directory sync role mapping applies, they will:

  • Be assigned the None role

  • Appear in the Others tab under Settings -> Members -> Other tab

  • Not incur additional seat charges

You can manually change their role at any time from within Plain (Settings -> Members) or the WorkOS admin dashboard (Settings -> SSO)

If a user provisioned via SSO or SCIM maps to multiple roles in Plain, we will always pick the most permissive one. For instance, if a user maps to Admin and Support, we will assign it the Admin role.

Powered by Plain