PLANA Docs

Appearance

Single sign-on

PLANA Business Cloud uses single sign-on so every user signs in once and gains access to PLANA, BOS, and any other PLANA service their account is authorised for. No separate password per tenant.

How sign-in works for you

When you go to https://<your-workspace>.planapulse.app/web/login, you see two buttons:

  • Sign in with PLANA — the recommended path
  • Sign in with username / password — the fallback path

Click Sign in with PLANA. You're redirected to auth.planapulse.com, sign in with your PLANA email + password + TOTP, and you're back in PLANA Business Cloud as the right user.

The "username / password" path exists for legacy reasons — typically the initial admin account during tenant setup. Once your account is linked to PLANA SSO, you use the SSO path.

Why we run our own identity

Three reasons:

  1. One password to manage — your PLANA SSO password protects PLANA, BOS, and any other PLANA service. No per-tenant passwords.
  2. Centralised 2FA — enrol TOTP once at the SSO level; it covers everything.
  3. Compliance / audit — every sign-in event is recorded at the SSO layer; we can show you (or your auditor) exactly when each user signed in and from where.

The SSO is PLANA's own self-hosted identity provider — Authentik Community running on our cluster. It's not a third-party SaaS; your authentication data stays in our EU data centre.

Account linking

A PLANA SSO account is identified by email. When you first sign in via PLANA SSO, PLANA Business Cloud looks for a tenant user with the matching email and links it.

The matching is case-insensitive. If you have ceo@acme.bg in your PLANA SSO and CEO@acme.bg in the tenant, the two link correctly.

If no matching tenant user exists, sign-in fails with a clear error. The fix is for the tenant admin to:

  1. Create a user in Settings → Users
  2. Set the email to match your SSO email exactly
  3. You sign in again — the link is established automatically on the first successful login

What if I have multiple PLANA accounts

A PLANA SSO account = one email. If you have a personal name@gmail.com and a work name@company.bg, those are two separate PLANA SSO accounts. They never link to the same tenant user.

Federation with Google

If you have Google Workspace (or a personal Google account), you can sign in to PLANA SSO with Google instead of a password:

  1. At auth.planapulse.comSign in with Google
  2. Sign in to Google with your account
  3. PLANA SSO checks: does this Google email match a PLANA account?
  4. If yes, you're signed in
  5. If no, the workspace admin can link your Google account by ensuring your tenant user record has the matching email

See Platform → Google federation for details.

Two-factor authentication

PLANA SSO enforces TOTP on every staff account. For tenant users:

When required, every user in the workspace enrols at next sign-in.

Password reset

Self-service via the Forgot password link at auth.planapulse.com. You receive a reset link via email.

If you've also lost access to your email, contact your workspace admin via Matrix — they can ask PLANA to verify your identity and help with recovery.

Sessions

A successful sign-in produces:

  • An OIDC id_token (short-lived — 15 minutes)
  • A refresh token (longer-lived — 30 days)
  • A PLANA Business Cloud session cookie

The Business Cloud session inherits the SSO TTL. If you're inactive for an extended period, you're prompted to re-authenticate.

To sign out from everywhere at once, go to https://auth.planapulse.com/if/user/#/profileSign out all sessions. All your PLANA services are signed out.

What admins control

The workspace admin / owner controls:

  • Who has a tenant user account
  • What role each user has within the tenant
  • Whether 2FA is required
  • Whether to require all users sign in via SSO (vs. allow legacy password)

The SSO itself (TOTP enforcement at the IdP layer, email format validation, brute-force protection) is managed by PLANA.

Where to read more

© PLANA Digital Ltd.

docs.planapulse.com