At Pleo, we work hard to ensure that all of our customers' accounts are secure. That’s why we use strong customer authentication (SCA) to protect your account. Learn more about SCA regulations according to EU legislation.
This article explains the three different ways to log into Pleo:
Pleo’s own security credentials: available to all Pleo customers
Single sign-on (SSO) with Google or Microsoft: available to all Pleo customers
SAML 2.0 SSO with Okta and Azure: available to customers on the Advanced plan
Good to know:
Please note that even if your organisation uses SSO or SAML SSO, every Pleo user will still need to:
Be invited to Pleo by an account admin.
Accept the invite to Pleo and set up their security credentials (explained in the first section of this article).
That said, user provisioning (where a colleague will automatically have access to Pleo once added via SAML), will be available soon.
When logging into Pleo's web app, you can click “Trust this browser” to skip entering the two-factor verification code on subsequent visits. A trusted device or browser means that you are the only person with access to it. By confirming that you trust a device/browser, your details will be safe. This trust will last one year in the device/browser. For customers using SAML, the “trust this browser” option will change in the near future. It will most likely be replaced entirely with the identity provider (e.g., Okta or Azure) validating whether or not someone has to log in again.
If you have any questions about the below instructions, please reach out to your customer success manager.
Pleo’s own security credentials
When you accept your invite to Pleo, you’ll be prompted to set up/verify the following:
A 4-digit passcode for logging in (this won’t be stored anywhere, so make a mental note so you remember your passcode).
A two-factor authentication method: either an SMS code sent to your mobile device or a code sent to an authentication app (e.g., Google Authenticator or Authy).
The first time you log into a new device, you’ll be prompted to verify your login via an email link. Please note that you’ll need to open the email on the same device that you use to log into Pleo. For example, if you’re logging into Pleo on a new computer, you’ll need to open your work email on the same computer and web browser.
When logging into Pleo's web app, you can click “Trust this browser” to skip entering the two-factor verification code on subsequent visits. A trusted device or browser means that you are the only person with access to it. By confirming that you trust a device/browser, your details will be safe. This trust will last one year in the device/browser.
SSO with Google or Microsoft
Signing into Pleo with Google or Microsoft uses the same security credentials that you set up when creating your Pleo account (explained above). For example, if you have a different phone number connected to your Google account versus your Pleo account, the login process will rely on the latter.
That said, the differences in the login flow are that:
You’ll click the “Continue with Google” or the “Continue with Microsoft” button instead of manually entering your email address on the login page:
You won’t have to manually enter your email address.
You won’t have to manually input your four-digit passcode. After selecting your Google or Microsoft account, you’ll be asked for your two-factor authentication code (sent via sms or an authenticator app).
SAML 2.0 SSO
SAML SSO allows Pleo customers with single and multi-entity businesses to easily manage access to Pleo for all employees while maintaining a high level of security. This security improvement allows employees to use their existing company credentials to log in to Pleo, rather than having to create and manage separate login information. Pleo currently supports Okta and Microsoft Azure. If you’re interested in SAML but use a different solution, please let us know!
To use SAML with Pleo, customers need:
Access to a supported identity provided (currently Okta and Azure)
An IT department that is familiar with setting up applications within their Identity Provider (IDP)
How to activate SAML for Pleo:
Let your customer success manager know that you’d like to use this functionality.
Your IT department will need to create a new application for Pleo in either Okta or Azure (explained below).
Once we get the info based on your application, the setup on Pleo’s side will take a maximum of 1-2 business days. Your customer success manager will notify you via email once everything is ready.
Employees will be able to access Pleo using their existing company credentials (after they have accepted the original invite from their Pleo admin).
How to create a new application for Pleo
This section elaborates on the second step in the above process (activating SAML for Pleo).
If your organisation uses Okta:
Configure the sign-in url to https://auth.pleo.io/saml/${PLEO_ID}/callback. Your customer success manager will provide you with your PLEO_ID.
Create a new application with the NameId configured as EmailAddress.
Configure the single sign-on URL as https://auth.pleo.io/saml/${PLEO_ID}/callback
When done, click on “View SAML setup instructions”:
Please send the following to your Pleo customer success manager: the single sign-on URL, issuer and certificate (all generated on the Okta Admin Portal).
If your organisation uses Azure:
Create a new “Enterprise Application” for Pleo by creating a manual application.
Navigate to the “Single sign-on” page (found in the left navigation menu).
Configure the Entity-Id as pleoio://${PLEO_ID}
Configure the Reply URL to https://auth.pleo.io/saml/${PLEO_ID}/callback
Configure the Sign on URL to https://auth.pleo.io/saml/${PLEO_ID}/login
Configure the NameId as EmailAddress.
Please send the following to your Pleo customer success manager: the Entity-Id, the certificate and Login URL (all generated on the Azure portal).
Good to know:
While the current process relies on manual communication with Pleo, this functionality will soon be fully integrated into the Pleo product. This will allow the right users with access to their IDP to set up SAML verification in the Pleo product. User provisioning (coming soon) will further provide a more secure and seamless experience to invite (and remove) users in your organisation’s Pleo account..