Why SSO
Single Sign-On lets employees access PlusPlus using their existing corporate credentials, without a separate password. Centralizing authentication at your identity provider (IdP) means MFA, conditional access, and session policies set at the IdP apply automatically; when an employee is disabled in the IdP, they lose access to PlusPlus on their next sign-in attempt; and your security and audit teams have one place to manage authentication.
PlusPlus does not store passwords for SSO-authenticated users.
How it works
PlusPlus supports three classes of SSO integration:
Native sign-in providers — Google Login, Microsoft Graph Login, and LinkedIn Login authenticate users directly against Google, Microsoft, or LinkedIn. No SAML configuration is required; enabling the toggle is the entire setup.
SAML 2.0 with a pre-set provider profile — Okta SSO and OneLogin Identity use SAML 2.0 against the named IdP. Setup requires three values from your IdP (Issuer URL, SAML endpoint, and X.509 signing certificate), entered in the Core SAML Settings section.
Custom SAML Login Provider — for any SAML 2.0 IdP that doesn’t have a pre-set profile (Microsoft Entra custom apps, Ping, ADFS, Auth0, etc.). In addition to the Core SAML Settings, this option exposes a Custom SAML Settings section for attribute mapping, authentication context, and login-button styling.
In all cases, on a user’s first successful sign-in PlusPlus creates the account automatically (Just-in-Time provisioning) using the email, name, and optional picture returned by the IdP.
SSO authenticates; People Integration enriches. The SAML assertion or OAuth claim only carries identity attributes — email, name, picture. Job title, manager, department, location, custom attributes, and group membership come from your People Integration. SSO and People Integration run independently; most customers configure both.
What’s IdP-controlled. Authentication, MFA, session lifetime, and conditional access policies live entirely on your IdP. PlusPlus accepts whatever assertion the IdP issues.
What’s PlusPlus-controlled. User roles, group memberships, and content access — driven by groups, user roles, and automated rules.
Choose your provider
Provider | Use when |
Google Login | You want to allow sign-in with Google Workspace or Gmail accounts |
Microsoft Graph Login | You want to allow sign-in with Microsoft 365 or Outlook accounts |
LinkedIn Login | You want to allow sign-in with LinkedIn accounts |
Okta SSO | You use Okta and want the pre-set SAML integration |
OneLogin Identity | You use OneLogin and want the pre-set SAML integration |
Custom SAML Login Provider | Any other SAML 2.0 IdP — Microsoft Entra custom apps, Ping, ADFS, Auth0, etc. — or when you need fine-grained control over attribute mapping or authentication context |
Multiple providers can be enabled simultaneously; each enabled provider appears as a separate sign-in option on the PlusPlus login page.
Set up
Each provider is configured at System Settings > Security, in the Single Sign On (SSO) section.
Native providers (Google Login, Microsoft Graph Login, LinkedIn Login): enable the toggle. No additional configuration is required.
OneLogin Identity: enable the toggle, then fill in Issuer URL, SAML endpoint, and X.509 certificate from your OneLogin app in the Core SAML Settings section below.
Okta SSO: install the PlusPlus app from the Okta Integration Network, assign it to your users or groups, then enable the toggle in PlusPlus and fill in Core SAML Settings. See SSO Integration: Okta.
Custom SAML Login Provider: configure both your IdP and PlusPlus with matching SAML parameters. See SSO Integration: A Custom SAML Provider.
For automated user provisioning and deprovisioning alongside SSO, also configure a People Integration method (Workday, SCIM, Custom Integration, or CSV over SFTP).
Operate
MFA. Enforce at the IdP. PlusPlus does not implement an MFA layer of its own.
Deactivation. When a user is disabled in the IdP, they lose access to PlusPlus on their next sign-in attempt. Full deprovisioning — PII anonymization, content cleanup, calendar reassignment — follows the timeline in the User Deprovisioning Guide.
Certificate rotation. When your IdP rotates its SAML signing certificate, update the X.509 certificate in PlusPlus’s Core SAML Settings to match. Applies to Okta SSO, OneLogin Identity, and Custom SAML Login Provider.
Login page review. When SSO requirements change (e.g., a partner contract ends), disable the corresponding provider so its button no longer appears on the login page.