Set-up SAML SSO with Okta, Microsoft Entra ID or a custom setup

Set up SAML Single Sign-On (SSO) so your team can sign in to Pleo through your company identity provider (e.g. Okta or Microsoft Entra ID). This improves login security and gives you centralised control over who can access Pleo.

Why we recommend SAML SSO

SAML SSO is a best practice because it helps you:

• Improve fraud protection and reduce account takeover risk by enforcing stronger security controls in your identity provider (for example MFA and risk-based access)
• Centralize access management so you can quickly remove access when someone leaves the company or a device is compromised
• Simplify onboarding and offboarding because users sign in with the same company login they already use for other tools

Set up SAML SSO in Pleo

1. In Pleo, go to Settings
2. Select Integrations
3. Click SAML Single Sign-On
4. Choose your identity provider (e.g., Okta or Microsoft Entra ID), or select Custom setup if you use another provider that supports SAML 2.0.
5. Follow the on-screen steps to configure SAML in your identity provider and paste the required information into Pleo
   • You may need help from your IT team, since this step requires admin access in your identity provider
6. Click Save configuration

Test safely and enable SSO for your organisation

1. Go to Exclusions
2. Add at least one Admin to exclusions (recommended) to avoid being locked out during rollout
3. Test the setup
4. When testing is successful, enable SAML SSO for the organisation

Good to know: If your account uses Multi Entity management, you can only connect one identity provider (IDP) per Multi Entity account

What information is shared during SSO?

During SSO, your identity provider sends Pleo only the information needed to identify the user (e.g. email). Pleo never receives user passwords.