Single Sign-On (SSO) Setup
A guide for IT administrators configuring SSO for their organisation.
Overview
PlanSuite supports Single Sign-On so your staff can log in with their existing organisational identity, managed entirely by your identity provider (IdP). We support two industry-standard protocols:
- OpenID Connect (OIDC) — Recommended. Discovery-based, quick to configure, and the modern default for Microsoft Entra ID (Azure AD), Google Workspace and Okta.
- SAML 2.0 — Fully supported for organisations that standardise on SAML.
You choose the protocol. The sections below list exactly what to configure on your side and what to send us.
How it works
- You register PlanSuite as an application in your IdP.
- You send us the connection details listed below, along with the email domain(s) your staff sign in with.
- We configure your organisation's SSO provider in PlanSuite.
- We run a test sign-in with one of your accounts before enabling it for all staff.
- Staff whose email address matches your domain are then directed to your IdP to sign in.
We only ever read a user's email address, name and verified-email status. We do not request directory access, group membership, or any write permissions.
Option A — OpenID Connect (OIDC)
Recommended
1. Register PlanSuite in your IdP
Create a new application (an "App registration" in Microsoft Entra ID) and set the redirect URI to the PlanSuite callback for the environment you are connecting to:
Production
https://api.plansuite.com.au/api/auth/sso/callback/<your-org>
Replace <your-org> with the provider identifier we agree on for your organisation. We will confirm this value with you.
2. Send us these details
- Issuer / discovery URL — for Microsoft Entra ID this is
https://login.microsoftonline.com/<tenant-id>/v2.0 - Client ID — the Application (client) ID of the registration
- Client secret — a secret generated for the registration
- Email domain(s) — the domain(s) your staff sign in with (e.g.
yourcouncil.vic.gov.au)
3. Scopes we request
Only the standard openid, profile and email scopes. No admin consent for directory or write permissions is required.
Option B — SAML 2.0
1. Configure a SAML application in your IdP
Use the following Service Provider (SP) values for the production environment:
ACS / Reply URL (Assertion Consumer Service)
https://api.plansuite.com.au/api/auth/sso/saml2/callback/<your-org>
SP Entity ID / metadata
https://api.plansuite.com.au/api/auth/sso/saml2/sp/metadata?providerId=<your-org>
Name ID format
Email Address
2. Send us these details
- IdP federation metadata XML — or, alternatively, the sign-on URL (entry point) plus the signing certificate
- Email domain(s) — the domain(s) your staff sign in with
Environments
The URLs above are for production (api.plansuite.com.au). If we agree to trial SSO in a staging environment first, the same paths apply on the staging API host, which we will provide. The application path structure is identical across environments — only the host changes.
What to expect
- Once we have your details, configuration on our side typically takes one business day.
- We always complete a test sign-in with you before enabling SSO for all staff.
- Existing PlanSuite accounts on your domain are matched by email address, so users keep their history.
- You retain full control of access. Disabling a user in your IdP immediately prevents them signing in to PlanSuite.
Contact
To start an SSO setup or ask a question, please contact us:
PlanSuite Pty Ltd (ABN 57 691 312 795)
support@plansuite.com.au
www.plansuite.com.au