Supported SSO Providers
LowerPlane supports SSO through the following providers:| Provider | Protocol | Setup Complexity |
|---|---|---|
| Google Workspace | OAuth 2.0 / OpenID Connect | Low |
| Microsoft (Azure AD / Entra ID) | OAuth 2.0 / OpenID Connect | Low |
| Okta | SAML 2.0 | Medium |
| Custom SAML | SAML 2.0 | Medium |
Configuring Google SSO
Authorize
You will be redirected to Google to authorize LowerPlane as a connected application. Sign in with a Google Workspace admin account.
Configure domain restriction
Optionally restrict sign-in to specific email domains (e.g.,
@yourcompany.com). This prevents personal Google accounts from accessing your organization.Configuring Microsoft SSO
Authorize
You will be redirected to Microsoft to authorize LowerPlane. Sign in with an Azure AD / Entra ID admin account.
Configure tenant restriction
Restrict access to your organization’s Azure AD tenant to prevent unauthorized access.
Configuring Okta SSO (SAML)
Create a SAML application in Okta
In your Okta admin console, create a new SAML 2.0 application for LowerPlane.
Enter LowerPlane's SAML settings
Configure the following in Okta:
- Single Sign-On URL: Provided on the LowerPlane SSO settings page
- Audience URI (SP Entity ID): Provided on the LowerPlane SSO settings page
- Name ID Format: Email address
Download Okta metadata
Download the SAML metadata XML file or copy the Identity Provider SSO URL, Entity ID, and X.509 certificate from Okta.
Enter Okta details in LowerPlane
In Settings > SSO, select Okta and enter the IdP SSO URL, Entity ID, and certificate.
Custom SAML Configuration
For identity providers not listed above, use the custom SAML option:| LowerPlane Provides | You Provide |
|---|---|
| Assertion Consumer Service (ACS) URL | Identity Provider SSO URL |
| SP Entity ID | IdP Entity ID |
| SP Metadata XML (optional) | X.509 Signing Certificate |
| Name ID Format (email) |
SAML responses must include the user’s email address as the Name ID. LowerPlane uses the email to match SSO logins to existing user accounts.
SSO Enforcement
After configuring SSO, you can choose how strictly it is enforced:| Mode | Description |
|---|---|
| Optional | Users can sign in via SSO or email/password. Useful during rollout. |
| Required | All users must sign in via SSO. Email/password login is disabled. |
SSO and User Provisioning
SSO handles authentication (verifying identity) but not provisioning (creating accounts). Users must still be invited to your LowerPlane organization before they can sign in via SSO. The typical workflow:- Admin invites a user by email in Settings > Users.
- The user clicks the invitation link and creates their account.
- On subsequent visits, the user signs in via SSO.
Compliance Benefits
SSO configuration satisfies authentication controls across frameworks:| Framework | Controls |
|---|---|
| ISO 27001 | A.9.4.2 (Secure log-on procedures) |
| SOC 2 | CC6.1 (Logical access security) |
| HIPAA | 164.312(d) (Person or entity authentication) |
| GDPR | Article 32 (Appropriate technical measures) |
| PCI-DSS | 8.1 (Identify and authenticate access to system components) |
Troubleshooting
SSO login redirects to an error page
SSO login redirects to an error page
Verify that the ACS URL and Entity ID in your identity provider match the values shown in LowerPlane’s SSO settings. Even small differences (trailing slashes, HTTP vs HTTPS) will cause failures.
User gets 'account not found' after SSO login
User gets 'account not found' after SSO login
The user must be invited to your LowerPlane organization before they can sign in via SSO. Send them an invitation from Settings > Users.
SAML assertion validation fails
SAML assertion validation fails
Check that the X.509 certificate has not expired and that the Name ID format is set to email address. Also verify that the clock on your IdP server is synchronized (SAML is sensitive to time drift).