Skip to main content

SSO Integration: A Custom SAML Provider

We can integrate with any SAML provider. This article lists the required settings and parameters.

Written by Michael Wallace

Scenario

You want to connect a SAML 2.0 identity provider that doesn’t have a pre-set integration in PlusPlus — for example, OneLogin (if you prefer fine-grained configuration over the dedicated OneLogin Identity toggle), Microsoft Entra ID, Ping Identity, ADFS, or Auth0.

Solution

A custom SAML setup has two halves: configuring the IdP and configuring PlusPlus.

Configure your IdP

Use these parameters when creating the PlusPlus application in your IdP:

Parameter

Value

Service Provider Entity ID / Audience

https://www.plusplus.co

ACS URL

https://<your-plusplus-domain>/auth/complete/saml/

Recipient

https://<your-plusplus-domain>/auth/complete/saml/

RelayState

plusplus_saml

Signature Algorithm

RSA-SHA256 (with SHA-256 digest)

NameID format

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

RequestedAuthnContext Comparison

exact

RequestedAuthnContext AuthnContextClassRef

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Signing method

Signed responses/messages (not assertions)

Replace <your-plusplus-domain> with your tenant URL (e.g., acme.plusplus.app).

Configure PlusPlus

  1. Go to System Settings > Security. In the Single Sign On (SSO) section, enable Custom SAML Login Provider.

  2. In the SAML Settings panel, fill in Core SAML Settings using values from your IdP:

  • Issuer URL

  • SAML endpoint

  • X.509 certificate

  1. Then configure Custom SAML Settings (attribute mapping and button styling):

  • Email field — the SAML attribute containing the user’s email

  • First name field — the attribute containing the first name

  • Last name field — the attribute containing the last name

  • Picture field (optional) — the attribute containing the profile picture URL

  • Authentication context classes — a comma-separated list matching the AuthnContextClassRef values your IdP returns

  • Authentication context comparison — dropdown; typically Exact to match the IdP-side RequestedAuthnContext Comparison value

  • Login button label (optional) — e.g., “Login to PlusPlus”

  • Login button color (optional) — e.g., red or #23B688

Once saved, the configured SSO button appears on the PlusPlus login page. Changes to SAML settings take effect immediately; no service restart is required.

Go deeper

Just-in-Time (JIT) account creation

When an authenticated user signs in for the first time and doesn’t yet have a PlusPlus account, an account is created automatically using the email, name, and optional picture attributes from the SAML assertion. To populate the remaining user record fields (job title, manager, department, custom attributes, group membership), pair Custom SAML with a People Integration method.

MFA

PlusPlus does not implement MFA itself. MFA is enforced at your IdP during the SAML authentication flow. Whatever policy your IdP applies — always-on, conditional, step-up — carries through to PlusPlus.

Certificate rotation

When your IdP rotates its SAML signing certificate, update the X.509 certificate in PlusPlus’s Core SAML Settings to match. Until you do, new sign-in attempts will fail signature validation.

Login flow

PlusPlus uses SP-initiated SAML. When a user clicks the SSO button on the PlusPlus login page, PlusPlus sends an AuthnRequest to your IdP that includes the ACS URL; the IdP authenticates the user and posts the SAML response back to that URL.

IdP-initiated login from your IdP’s app launcher (clicking the PlusPlus tile on an Okta or OneLogin dashboard, for example) is not supported. PlusPlus rejects unsolicited SAML responses that weren’t preceded by an AuthnRequest it issued. To get a launcher tile to work, configure it in your IdP as a plain bookmark to the PlusPlus login URL — the user clicks the tile, lands on PlusPlus, and clicks the SSO button to start the SP-initiated flow.

Multiple providers

Custom SAML can run alongside any other configured providers (Google Login, Microsoft Graph Login, LinkedIn Login, Okta SSO, OneLogin Identity). The login page presents all enabled providers as separate buttons; users choose the one that matches their account.

Single Logout (SLO)

PlusPlus does not implement SAML Single Logout. When a user signs out of PlusPlus, the session is terminated locally; no LogoutRequest is sent to your IdP, so the user remains signed in to the IdP and to any other applications they accessed via SSO. PlusPlus also does not expose a SingleLogoutService endpoint, so IdP-initiated logouts will not terminate the PlusPlus session. If global sign-out is required, users need to log out of the IdP separately, or your IdP session policy must be short enough that this is not a concern in practice.

Session lifetime and re-authentication

PlusPlus session duration is configured per tenant, with options of 1 hour, 1 day (default), 1 week, 1 month, or 1 year. The timer is absolute — it begins at sign-in and is not extended by activity, and there is no separate idle timeout. There is no “remember me” option; all authenticated sessions use the same configured duration.

PlusPlus does not honor the SessionNotOnOrAfter attribute from the SAML assertion. The PlusPlus session duration is governed entirely by the per-tenant setting, regardless of what your IdP specifies. When the session expires, the user is redirected to the PlusPlus login page and must click the SSO button to re-authenticate; if their IdP session is still active, the round-trip is typically seamless.

Related Articles
People Integration: SCIM
SSO Integration: Okta
People Integration: Custom Integration
PlusPlus 101: Connect your HRIS & identity provider with People Integration
PlusPlus 101: SSO Integration
Did this answer your question?