Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Set-up SAML SSO with Okta, Microsoft Entra ID or a custom setup

            Set up SAML Single Sign-On (SSO) so your team can sign in to Pleo through your company identity provider (e.g. Okta or Microsoft Entra ID). This improves login security and gives you centralised control over who can access Pleo.


            Before you start, make sure you have admin access in Pleo and in your identity provider

            Why we recommend SAML SSO

            SAML SSO is a best practice because it helps you:

            • Improve fraud protection and reduce account takeover risk by enforcing stronger security controls in your identity provider (for example MFA and risk-based access)
            • Centralize access management so you can quickly remove access when someone leaves the company or a device is compromised
            • Simplify onboarding and offboarding because users sign in with the same company login they already use for other tools

            Set up SAML SSO in Pleo

            1. In Pleo, go to Settings
            2. Select Integrations
            3. Click SAML Single Sign-On
            4. Choose your identity provider (e.g., Okta or Microsoft Entra ID), or select Custom setup if you use another provider that supports SAML 2.0.
            5. Follow the on-screen steps to configure SAML in your identity provider and paste the required information into Pleo
              • You may need help from your IT team, since this step requires admin access in your identity provider
            6. Click Save configuration

            Enable SSO for your organisation and test safely

            1. Go to Exclusions
            2. Add yourself and/or at least one other admin to avoid being locked out during roll out
            3. Enable the SAML SSO configuration for the organisation
            4. Test the setup
              Important note: you need to test the SAML config with a different user than the one added to the SAML Exclusion list, since excluded users keep using email + passcode to login


            Good to know

            • When SAML configuration is enabled, users are required to authenticate using this method. If testing is unsuccessful, it may be worth temporarily disabling it again to avoid blocking users from accessing the system.
            • If your account uses Multi Entity management, you can only connect one identity provider (IDP) per Multi Entity account

            What information is shared during SSO?

            During SSO, your identity provider sends Pleo only the information needed to identify the user (e.g. email). Pleo never receives user passwords.


            Good to know:
            • Only one identity provider per Multi Entity account: It’s not possible to connect multiple IDPs to the same Multi Entity account.
            • Active sessions aren’t interrupted: Enabling SAML SSO won’t log users out of active sessions. However, any new session will require logging in via SSO (if SSO is enabled for the organisation).
            • You can exclude specific users: It’s possible to allow certain users to keep logging in without SSO by adding them to the Exclusions list (recommended during rollout).
            • Bookkeepers can’t use SSO: Bookkeepers won’t be able to log in with SAML SSO and will need to use their passcode to log in.
            • Plan for a safe rollout (recommended): Test with a small group first (including at least one admin) before enabling it for everyone.
            • Security policies are enforced in your identity provider: Settings like MFA and Conditional Access are managed in Okta/Entra (not inside Pleo), so make sure they’re configured for the Pleo app.
            • If you accidentally get locked out of your account, reach out to your Customer Success Manager for assistance.


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0