Who should read this: Workspace administrators and account owners who manage authentication
for their organization.Prerequisites: Admin or Account Owner role. An active identity provider (Okta, Azure AD, or
Google Workspace) with admin access to create SAML applications. SSO must be enabled for your
workspace (contact support if the SSO option is not visible).
Why Use SSO
Single Sign-On provides several benefits for aviation operations:- Centralized access control — onboard and offboard crew members through your existing identity provider.
- Stronger security — enforce your organization’s password policies, MFA requirements, and conditional access rules at the IdP level.
- Reduced credential fatigue — pilots and dispatchers use one set of credentials for all tools, reducing the risk of weak or reused passwords.
- Compliance alignment — centralized authentication supports the access control requirements implicit in 14 CFR Part 5 safety data protection.
Before You Begin
Gather the following information from PlaneConnection before configuring your identity provider:- Navigate to Settings > Security > Single Sign-On in your workspace.
- Copy the following values displayed on the SSO configuration page:
| Field | Description |
|---|---|
| ACS URL | Assertion Consumer Service URL where your IdP sends responses. |
| Entity ID | The Service Provider entity ID (also called Audience URI). |
| Sign-In URL | The URL your IdP redirects users to for SP-initiated login. |
Configure Your Identity Provider
- Okta
- Azure AD (Entra ID)
- Google Workspace
In the Okta Admin Console, go to Applications > Applications and click Create App Integration. Select SAML 2.0 and click Next.
Enter a display name (e.g., “PlaneConnection”) and optionally upload the PlaneConnection logo. Click Next.
After creating the application, navigate to the Sign On tab. Under SAML Signing Certificates, click Actions > View IdP metadata and copy the metadata URL.
Complete SSO Setup in PlaneConnection
Click Test SSO Connection. A new window opens and attempts to authenticate through your identity provider. If the test succeeds, you see a confirmation message with the authenticated user’s details.
Verify User Provisioning
After enabling SSO, users who sign in through your identity provider for the first time are automatically provisioned in PlaneConnection. Verify the following:- The user appears on the Settings > Members page.
- Their email address matches the one from your identity provider.
- Their role defaults to Staff — assign the correct operational role (pilot, safety manager, dispatcher, etc.) after they sign in.
Troubleshooting SSO
SSO test fails with 'Invalid SAML response'
SSO test fails with 'Invalid SAML response'
Verify that the ACS URL and Entity ID in your identity provider exactly match the values shown in
PlaneConnection. Trailing slashes and case differences cause validation failures.
Users see 'Account not found' after SSO sign-in
Users see 'Account not found' after SSO sign-in
The email address from your identity provider must match the email address in PlaneConnection.
Check that the Name ID attribute is set to the user’s email address in your IdP configuration.
SSO works but users cannot access any modules
SSO works but users cannot access any modules
New SSO users are provisioned with the Staff role by default. Navigate to Settings > Members
and assign the correct role. See Manage Users and Roles.
Need to bypass SSO for emergency access
Need to bypass SSO for emergency access
If SSO is set to required and your identity provider is down, admins can sign in at
https://app.planeconnection.com/sign-in?bypass_sso=true using their email and password (if they previously set one).
This bypass is only available for users with the Admin or Account Owner role.Related
Manage Security Settings
Configure 2FA, passkeys, and session policies alongside SSO.
Manage Users and Roles
Assign roles to SSO-provisioned users.
User Roles Reference
All 24 platform roles and their capabilities.
Permissions Matrix
Full feature-by-role permissions breakdown.