SAML single sign-on and directory sync
Integrate with third-party identity providers.
SAML single sign-on (SSO)
To use SAML SSO, your team must be on the
Enterprise plan
Airplane supports SAML SSO, which allows you to manage your team members through a third-party
identity provider such as Okta, OneLogin or
Azure AD.
Configuring SAML SSO
To configure SAML SSO, go to the
SAML single sign-on section of the
members settings page, and click on the
Configure SAML SSO... button. This will take you through a series of instructions to get SAML SSO
set up with Airplane.
You need to be a team admin to configure this.
Using SAML SSO
Once SAML SSO is configured, users can sign in via SAML SSO by clicking on the
Continue with SSO
button in the main login page. Note that this requires that user
to already be a member of your Airplane team.SAML SSO also works with IdP-initiated SSO. Users can sign in to Airplane from e.g. their Okta
dashboard. IdP-initiated SSO will provision a user on your team if the user doesn't already exist,
without requiring an invite.
Recommendations
- You should also set up directory sync to keep users and groups in sync on your team.
- It is recommended to disable Google SSO and email link sign-in once SAML SSO is configured. Leave them on to test SAML, and turn them off once SAML is confirmed to be working.
- Need help setting up? Reach out to support@airplane.dev and we'll walk you through it.
Directory sync
To use directory sync, your team must be on the
Enterprise plan
Airplane supports directory sync, which helps teams manage organization membership from a
third-party identity provider like Okta. Once enabled, new users assigned access
to Airplane will be automatically provisioned on your team, and selected groups will be pushed to
Airplane and kept up to date.
Existing users and groups are only affected by directory sync once provisioned. In other words, an
existing user or group will remain a member of your team if not assigned by directory sync, but will
be removed from your team if they are assigned and then unassigned.
Configuring directory sync
To configure directory sync, go to the
Directory sync section of the
members settings page, and click on the
Configure Directory sync... button. This will take you through a series of instructions to get
directory sync set up with Airplane.
You need to be a team admin to configure this.
Recommendations
- Once directory sync has synced your groups with Airplane, use groups to manage permissions across tasks and runbooks. This ensures new users get access to the right things without any manual configuration.