Identity and Access Management (IAM)

• 1: Overview
• 1.1: Organizations and Workspaces Explained
• 1.2: Viewing and Managing Workspaces
• 1.3: Managing Workspace Members
• 2: Managing Security Groups and Assignments
• 3: Member (User) Identity
• 4: Member Management
• 5: Member Authentication
• 6: Advanced Operations
• 6.1: Setting Up Auth0 SAML for Single Sign-On
• 6.2: Setting Up AWS IAM Identity Center SAML for Single Sign-On
• 6.3: Setting Up Google Workspace SAML for Single Sign-On
• 6.4: Setting Up Microsoft Entra ID SAML for Single Sign-On
• 6.5: Setting Up Okta SAML for Single Sign-On
• 6.6: Manage Organization Administrators
• 6.7: Managing Single Sign-On for Organization
• 6.8: Setting Member Expiration Period

1 - Overview

1.1 - Organizations and Workspaces Explained

Organizations are a collection of one or more workspaces. All data and projects exist within workspaces. Organizations only serve as a way to manage multiple workspaces.

Security and access controls are managed by each workspace to cater to the workspace's unique role within the organization. PlaidCloud’s workspaces aim to maximize collaboration and increase information access while restricting access to private or confidential information.

In PlaidCloud, Organizations serve as the foundation, while Workspaces are designed to help support unique needs. With PlaidCloud being a multi-tenant workspace service, it provides flexibility by eliminating the need to perform technical configurations of isolated workspace environments. PlaidCloud is designed to provide maximum collaboration and flexibility while ensuring that privacy and confidentiality are never compromised through complete isolation of people and data by workspace.

PlaidCloud’s Organizations makes managing small teams, large teams, and multinational organizations easy. It allows you to easily integrate authentication and member management into existing systems or, if you choose to, manually manage them. PlaidCloud’s multiple tiers of access control simultaneously minimizes management overhead and keeps data and activities compartmentalized.

While this may sound complex, we keep the process as simple as possible, so getting started and scaling up is not difficult.

PlaidCloud is broken down into the following levels of access control:

1. Organization
2. Workspaces
3. Projects

Each progressive layer of control enables administrators to apply access controls and permissions for certain operations.

1.2 - Viewing and Managing Workspaces

Workspaces allow an Organization to operate as its own cloud-based service for small to large Organizations. For example, small teams may have a single workspace in their Organization, while large Organizations may have hundreds of specialized workspaces.

Workspaces manage access and visibility while providing isolated areas for an Organization’s members to operate. Workspace access is assigned to members in a private, multi-tenant environment for the Organization. With workspaces, teams can collaborate on open projects within some workspaces while maintaining strict confidentiality in other workspaces.

Since workspaces are fully isolated, data cannot be directly shared or accessed across workspaces. However, workspaces can access the same shared Document area, so that sharing of files between workspaces is possible if desired.

Viewing and Managing Workspaces

Viewing and managing workspaces within an Organization is simple. You must be an Organization owner to manage workspaces. To view and manage workspaces:

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”

This will bring you to a table showing all the current workspaces within the Organization. From here you can create, update, suspend, and delete workspaces, add apps to workspaces, and manage member access to each workspace.

Creating a Workspace

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”
3. Click the “New Workspace” button
4. Complete the required fields
5. Click “Submit”

Updating a Workspace

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”
3. Click the edit icon of the desired workspace
4. Adjust the fields as desired
5. Click “Submit”

Suspending a Workspace

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”
3. Uncheck the “Active” checkbox of the desired workspace
4. Click “Submit”

Deleting a Workspace

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”
3. Click the delete icon of the desired workspace
4. Click “Delete” again

Managing Apps Available in Workspace

By default, new workspaces have three apps automatically added: Analyze, Document, and Identity. While Identity cannot be removed because it is essential to managing access and roles within a workspace, Analyze and Document can be removed. To manage which apps are available in a workspace, including custom apps:

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”
3. Click on the apps icon for the workspace you want to modify the associated apps
4. If you want to remove and app, click on the delete icon for the app to remove and confirm the deletion
5. If you want to add a new app, click on the Add App to Workspace button, select the app you want to add, check the Enable for Use checkbox, and click the create button

1.3 - Managing Workspace Members

While members may be associated with other workspaces within an Organization, each workspace has it's own access restrictions. Members must be granted permission to view and access a workspace.

Adding Members

To add a member:

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”
3. Click the members icon
4. Select the desired member and drag them to the appropriate column
5. Click “Submit”

To send an invite:

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”
3. Click the invite icon

This process will send an email invitation to the member. The member then needs to click the link in the email and follow the directions to login or create an account if they are new to PlaidCloud. After a successful login, the member will be added to the workspace.

Removing Members

To remove a member:

1. Select “Organization Settings” from the menu in the upper right of the browser
2. Click “Workspaces”
3. Click the members icon
4. Select the desired member and drag them to the appropriate column
5. Click “Submit”

2 - Managing Security Groups and Assignments

PlaidCloud’s security and access management is straightforward. A member is granted or denied access based on the groups in which a member is associated. Adding or changing a member’s security association is easily customizable.

Managing Security Groups

Security groups can be added, updated, or deleted.

To manage security groups:

1. Open Identity
2. Select the “Security” tab
3. Click “Security Groups” in the dropdown menu (this will display a form with existing groups)
4. To add a group, click the “Create Security Group”
5. To edit permissions of a group, click on the left-most icon

To manage group members:

1. Open Identity
2. Select the “Security” tab
3. Click “Security Groups” in the dropdown menu
4. Click the Member icon
5. Drag desired members from the “Unassigned Members” column to the “Assigned Members” column or vice versa to remove members

Setting Default Security Groups

To reduce the time needed for adding new members, identify a set of default security groups. This provides a baseline set of security groups for new members without needing to manually assign each person. The setting is available when adding a new security group if you check the box at the bottom of the Security Group window that reads “Assign to New Users by Default”.

Performing a Security Audit

The security audit capability provides the ability to see group membership across all members and groups.

To perform a security audit:

1. Open Identity
2. Select the “Security” tab
3. Click “Security Group Audit” in the dropdown menu

As all tables in PlaidCloud are exportable as a CSV file format, the group member associations are reviewable outside of PlaidCloud for either historical purposes or just some fun off-line viewing.

To export from the “Security Group Audit” form:

1. Open Identity
2. Select the “Security” Tab
3. Click “Security Group Audit” in the dropdown menu
4. Click the small icon to the far right of “Username” in the table
5. Click “Export CSV” or “Export XLXS” depending on your preference

Viewing Available Permission Settings

Each application being used in the workspace has specific available permissions. The security group permissions are based on these application permissions.

The complete list of available permission for each application is viewable from the Security Bin.

To access the Security Bin:

1. Open Identity
2. Select the “Security”
3. Click “Security Bins” in the dropdown menu

To view the detailed security settings for each application, select the tags icon on the far left.

This available security settings information is informational only. For details on managing permissions, refer to the Managing Security Groups section above.

3 - Member (User) Identity

PlaidCloud makes authentication and role-based security easy to control from one centralized location: the “Identity” tab, located on the left side of the screen. Identity provides the foundation for member management, security, and different types of authentication processes.

Member management includes everything from viewing current members and adding new members to sending mass emails.

Security is a priority for PlaidCloud. The Security subset of the Identity tab allows you to perform security audits, set up security groups and default security groups for new members, and control the approved security level of each member.

Authentication is where security starts. PlaidCloud offers multiple authentication options to support most use cases:

• Password Only
• Two-Factor Authentication
• Single Sign-On

4 - Member Management

Identity provides the ability to add, remove, and/or suspend members of the workspace. Since PlaidCloud members can be members of multiple workspaces, removing a member from the workspace does not delete the member account from PlaidCloud.

New Members

Adding New Members

To add members:

1. Open Identity
2. Select the “Member” tab
3. Click “All” in the dropdown menu to display members
4. Click “Add Workspace Member”
5. Complete all required fields on the member form
6. Click the “Create” button

New Member Welcome Email

After adding a new member, a welcome email with sign-in credentials will be sent to their provided email address. The welcome email can be customized to provide additional information relevant to the new member’s PlaidCloud use.

To update or view the welcome email:

1. Open Identity
2. Select the “Member” tab
3. Click “Email Welcome Message” from the dropdown menu
4. Make any additions or changes desired
5. Click the “Update” button

Viewing and Managing Member Sessions

To view the current member sessions:

1. Open Identity
2. Select the “Member” tab
3. Click “Session Manager” in the dropdown menu

From this table, it’s possible to view session information (current sessions and last activity), as well as terminate sessions if desired.

To terminate a session:

1. Highlight the member(s) you wish to logout
2. Click the “End Selected Sessions” button in the upper left

Managing Distribution (Distro) Lists

Distribution lists, Distros, are simply email distribution lists managed within PlaidCloud. They provide an easy way to quickly send reports, files, and/or other information to groups. The Distribution list feature allows for the management of lists on a workspace by workspace basis. This eliminates the need to rely on external lists that may over or undercover the intended audience.

To manage lists:

1. Open Identity
2. Select the “Distro Lists” tab
3. Click the “Create New Distro List” button to create a new list
4. Complete all required fields of the Distro List form
5. Click the “create” button

To manage workspace members for each list:

1. Select the workspace icon (cloud) in the table
2. To manage non-members, click on the globe icon.

5 - Member Authentication

The Identity tab houses the security and authentication features that PlaidCloud focuses on in order to ensure a secure member platform. PlaidCloud offers three options for authentication types. They are:

• Password Only
• Two-Factor Authentication
• Single Sign-On

The default authentication type is password only. However, two-factor authentication can also be activated. If a Single Sign-On SAML authentication provider is available, you can configure your PlaidCloud organization to use Single Sign-On.

If you choose to create a personal account, the default authentication type is password only. To change this to a two-factor authentication, reference the steps under the Two-Factor section.

Changing Passwords

For members using two-factor or password-only authentication, password changes are simple and can be performed under the “Member” menu (gravatar icon) in the upper right corner.

To change passwords:

1. Select the icon (gravatar) in the upper right

   • The “Member” menu icon will be different for each user

2. Click “Change Password” in the dropdown menu

3. Enter your current password where requested

4. Enter your new password where requested

5. Re-enter your password (for confirmation)

6. Click the “Update” button to save

Password Only Authentication

Password-only authentication is the simplest and least secure option, even with long cryptic passwords. This option may be ideal for those looking to maintain quick and convenient access without too much concern about security risks. Password-only authentication continues to be a common practice but we highly recommend using Two-Factor instead.

Two-Factor Authentication

Two-Factor, or multi-factor, authentication provides a substantial increase in security over password-only because it requires both something “you know” (the password) and something “you have” (the access key). In other words, the password alone will not enable access.

Passwords are susceptible to security threats because they represent a single piece of information that a malicious actor needs to gain access; two-factor provides additional security by requiring additional information to sign in. For this reason we strongly urge you to use two-factor for the safety of your account, not only on PlaidCloud, but on other websites that support it.

Enabling Two-Factor

To enable two-factor and set your authentication code preferences:

1. Select the icon (gravatar) in the upper right
2. Click “Manage Multi-Factor Authentication” in the dropdown menu
3. Select your preferred type of two-factor authentication code delivery.

Types of Two-Factor Authentication

PlaidCloud has three options for receiving this additional information:

• Via smartphone app (e.g. Google Authenticator, Authy, Okta, FreeOTP, etc…)
• Via text message (or SMS)
• Via a YubiKey from Yubico <http://yubico.com>

Smartphone-based Authentication

To get your code via a smartphone app, you will need to download an authenticator app, such as Google Authenticator, for your iOS or Android device. Note that there are other compatible authenticator apps that can be used, but this article assumes you’re using the Google Authenticator app.

After downloading the app, open it and follow the in-app setup instructions.

Once you have the authenticator set up:

1. Tap the “+” button
2. Select “Scan barcode”
3. Open “Manage Multi-Factor Authentication” under the gravatar icon on PlaidCloud
4. Select “Configure Authenticator” on PlaidCloud
5. When prompted, use your phone to scan the QR code displayed on PlaidCloud
6. After scanning the QR code, your authenticator app should display a six-digit authentication code which changes every 30 seconds
7. Enter this code into the text box at the bottom of the PlaidCloud “Configure SmartPhone Authentication” screen which should still be pulled up from the previous steps
8. Select “Verify.”
9. If the code is valid, Two-Factor will be enabled for your account and you will be shown a list of backup codes.
10. Once enabled, you can select “Manage Multi-Factor Authentication” again to view your backup codes or to disable two-factor.

SMS-based Authentication

To use SMS-based Authentication:

1. Open “Manage Multi-Factor Authentication” under the gravatar icon on PlaidCloud
2. Select “Configure SMS” on PlaidCloud
3. Enter your mobile phone number and carrier
4. Click “Submit”
5. You will then be sent a text message containing an authentication code
6. Enter this code in the window that appears in PlaidCloud
7. If the code is valid, two-factor will be enabled for your account and SMS will send you a different code to enter whenever you log in
8. Once enabled, you can select “Manage Multi-Factor Authentication” again to update your contact information or to disable two-factor.

YubiKey Authentication

If using Yubikeys – hardware authentication devices manufactured by Yubico – members can register up to five YubiKeys for their account. We have both a managed pool of PlaidCloud YubiKeys that can be administered by the person responsible for your workspace access security, or members can choose to use any standard YubiKey.

To enable YubiKey authentication, you must first register at least one YubiKey.

To register a YubiKey:

1. Select the icon (gravatar) in the upper right
2. Click “Change Registered YubiKeys” in the dropdown menu
3. Place the cursor in an open spot on the “My Registered YubiKeys” form
4. Insert the YubiKey into your computer
5. Press the YubiKey one-time password (OTP) button
6. When the OTP is filled in, click the “Update” button in the form to save

After you register at least one YubiKey you can configure it to your account.

To configure a YubiKey:

1. Select the gravatar icon
2. Click “Manage Multi-Factor Authentication”
3. Select “Configure YubiKey”
4. Enter one of your YubiKey OTPs in the provided form.

If the OTP is valid, two-factor will be enabled for your account and you will need to enter a YubiKey OTP each time you log in.

PlaidCloud YubiKey Pool

The Managed YubiKey Pool provides an easy way to manage two-factor authentication for members of the workspace. The managed keys are branded with the PlaidCloud logo and can be shipped directly to members or in bulk to an administrator.

The managed pool provides advantages over individual Yubikeys in the following ways:

• Lost keys are easily replaced without the member needing to store recovery codes
• Assignment of keys is point and click. Members don’t have to register the key.
• View YubiKey assignments and revoke keys with a point and click interface
• Order and ship new keys directly to members
• Managed YubiKeys are fully compatible with other services that accept YubiKey OTPs
• YubiKeys can be reassigned to other members without compromising security as member turn-over occurs

To order new keys:

1. Open Identity
2. Select the “Security” tab
3. Click “PlaidCloud Security Keys” in the dropdown menu
4. Click the “Order More Keys” button in the form

If managed keys were ordered, they will appear in the managed keys table.

From the key assignment form, keys can be assigned, marked as unassigned, or marked as lost. In addition, each key can have a memo attached for keeping track of notes related to issuance of the key. To do this simply click the edit icon and make the desired adjustments.

Managed keys are a one-time cost. There are no additional on-going charges for their use. Managed Yubikeys are $30 each plus shipping.

What Recovery Codes Do

For security reasons, PlaidCloud Support cannot immediately restore access to accounts with two-factor authentication enabled if you lose your phone or YubiKey. Recovery codes allow for you to still access your account with a lost phone or YubiKey and then reconfigure it from there.

After successfully setting up your two-factor authentication, you’ll be provided with a set of randomly generated recovery codes that you should view and save. We strongly recommend saving your recovery codes immediately. However, these codes can be downloaded at any point after enabling two-factor authentication. For more information, see Downloading your two-factor authentication recovery codes.

Lost YubiKey

You can provide an SMS number as part of your profile. If you lose access to both your registered set of YubiKeys and your recovery codes, a backup SMS number can get you back in to your account.

If the member is using a managed pool key and loses it, the workspace pool administrator can mark the key as lost and issue a new one. This reduces the risk of being locked out of an account or having to retain recovery codes.

To mark a key as lost:

1. Open Identity
2. Select “Security”
3. Click “PlaidCloud Security Keys”
4. Click the edit icon
5. Select “Lost” under the Key Usage Information section
6. Click “Update”

This will mark the key as lost and allow you to issue a new one.

Single Sign-On

Single Sign-On requires an external service to perform the actual authentication process, and PlaidCloud simply receives a positive or negative response. Use of Single Sign-On can reduce the administrative requirements for managing passwords across multiple applications and ensure good member management practices when employees leave or access restrictions are applied.

Single Sign-On is the easiest option for members to use. It is as secure as the authentication process the external party uses. Single Sign-On helps ensure passwords are up-to-date and synchronized with other services the member interacts with.

While Single Sign-On does require a more extensive authentication process behind the scenes, and usually requires technical coordination with IT and/or network security, it can be used by anyone, although it is typically used by larger companies and academic institutions.

For more information on setting up and managing Single Sign-On see the Organization and Workspace management area.

6 - Advanced Operations

6.1 - Setting Up Auth0 SAML for Single Sign-On

PlaidCloud supports Single Sign-On (SSO) via SAML 2.0. This guide walks through configuring Auth0 as a SAML identity provider so your organization's users can authenticate through Auth0 when accessing PlaidCloud.

Prerequisites

• An Auth0 tenant
• An Auth0 account with the Administrator role
• Contact with PlaidCloud support to coordinate the setup and exchange configuration values

Overview

The setup process involves two parties exchanging SAML metadata:

1. You configure an application in Auth0 with the SAML2 Web App addon enabled and provide PlaidCloud with your Identity Provider Metadata URL.
2. PlaidCloud provides you with the Service Provider (SP) Entity ID and ACS URL (Assertion Consumer Service URL) needed to complete your Auth0 application configuration.

Coordinate with PlaidCloud support to obtain the SP values before completing Step 3 below.

Step 1: Create an Application

1. Sign in to the Auth0 Dashboard.
2. In the left sidebar, navigate to Applications > Applications.
3. Click Create Application.
4. Enter a name for the application (e.g., PlaidCloud SSO).
5. Select Regular Web Applications as the application type.
6. Click Create.

Step 2: Enable the SAML2 Web App Addon

1. On the application detail page, select the Addons tab.
2. Click the SAML2 Web App addon to enable it.
3. The addon settings panel will open. Leave it open — you will configure it in the next step.

Step 3: Configure SAML Settings

In the SAML2 Web App addon settings panel:

1. In the Application Callback URL field, enter the ACS URL provided by PlaidCloud.
2. In the Settings JSON editor, set the audience field to the SP Entity ID provided by PlaidCloud:

{
  "audience": "your-sp-entity-id-from-plaidcloud",
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  },
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

3. Click Enable (or Save) to apply the settings.

Step 4: Retrieve and Send the Identity Provider Metadata URL

Once the addon is enabled, locate the metadata URL and send it to PlaidCloud so the integration can be completed.

1. In the SAML2 Web App addon settings panel, select the Usage tab.
2. Copy the Identity Provider Metadata URL (formatted as https://{your-auth0-domain}/samlp/metadata/{client-id}).

Send this Metadata URL to PlaidCloud support. This is the Entity Descriptor URL that PlaidCloud needs to configure the trust relationship on the identity provider side. Once PlaidCloud receives this URL, the team will complete the Keycloak configuration and notify you when SSO is ready to test.

Step 5: Configure Attribute Mappings for Groups (Optional)

If your PlaidCloud configuration uses group-based security role assignments, you can pass group membership through the SAML assertion using Auth0 rules or actions.

Using Auth0 Actions

1. In the left sidebar, navigate to Actions > Library.
2. Click Build Custom and create a new action for the Login / Post Login trigger.
3. Add logic to append group information to the SAML assertion. For example, if groups are stored as user metadata:

exports.onExecutePostLogin = async (event, api) => {
  const groups = event.user.app_metadata?.groups || [];
  api.samlResponse.setAttribute("groups", groups);
};

4. Deploy the action and add it to the Login flow.

Step 6: Control User Access

Auth0 controls which users can authenticate based on the connections and rules attached to the application.

1. On the application detail page, select the Connections tab.
2. Enable the appropriate connections (e.g., your organization's database connection, Active Directory, or social connections) for this application.
3. Disable any connections that should not have access to PlaidCloud.

To restrict access to specific users within a connection, use Auth0 Actions or Rules to allow or deny authentication based on user attributes or group membership.

Testing the Integration

After PlaidCloud confirms the configuration is complete:

1. Navigate to your organization's PlaidCloud Workspace (e.g., https://my-workspace.plaid.cloud).
2. You will be redirected to the Auth0 sign-in page (or your configured connection's login).
3. Sign in with your Auth0 credentials.
4. Upon successful authentication, you will be redirected back to PlaidCloud.

If you encounter errors, verify that:

• The Application Callback URL and audience match exactly what PlaidCloud provided
• The SAML2 Web App addon is enabled on the application
• The nameIdentifierFormat is set to the email address format
• The Metadata URL you sent to PlaidCloud is accessible
• The user's connection is enabled on the application

6.2 - Setting Up AWS IAM Identity Center SAML for Single Sign-On

PlaidCloud supports Single Sign-On (SSO) via SAML 2.0. This guide walks through configuring AWS IAM Identity Center (formerly AWS SSO) as a SAML identity provider so your organization's users can authenticate through AWS when accessing PlaidCloud.

Prerequisites

• An AWS account with IAM Identity Center enabled
• An IAM user or role with the AWSSSOMasterAccountAdministrator managed policy or equivalent permissions
• IAM Identity Center must be configured with an identity source (the built-in directory, Active Directory, or an external IdP)
• Contact with PlaidCloud support to coordinate the setup and exchange configuration values

Overview

The setup process involves two parties exchanging SAML metadata:

1. You configure a custom SAML application in IAM Identity Center and provide PlaidCloud with your SAML Metadata URL.
2. PlaidCloud provides you with the Service Provider (SP) Entity ID and ACS URL (Assertion Consumer Service URL) needed to complete your application configuration.

Coordinate with PlaidCloud support to obtain the SP values before completing Step 3 below.

Step 1: Create a Custom SAML Application

1. Sign in to the AWS Management Console and navigate to IAM Identity Center.
2. In the left sidebar, select Applications.
3. Click Add application.
4. Select I have an application I want to set up and choose Custom SAML 2.0 application.
5. Click Next.
6. Enter a Display name for the application (e.g., PlaidCloud SSO) and optionally a description.

Step 2: Retrieve the IAM Identity Center SAML Metadata URL

Before configuring the service provider details, locate your IAM Identity Center metadata URL to send to PlaidCloud.

1. On the application configuration page, scroll to the IAM Identity Center metadata section.
2. Copy the IAM Identity Center SAML metadata URL (formatted as https://portal.sso.{region}.amazonaws.com/saml/metadata/{instanceId}).

Send this Metadata URL to PlaidCloud support. This is the Entity Descriptor URL that PlaidCloud needs to configure the trust relationship on the identity provider side. Once PlaidCloud receives this URL, the team will complete the Keycloak configuration and notify you when SSO is ready to test.

Step 3: Configure Service Provider Details

1. Scroll to the Application properties section.
2. In the Application ACS URL field, enter the ACS URL provided by PlaidCloud.
3. In the Application SAML audience field, enter the SP Entity ID provided by PlaidCloud.
4. Click Submit.

Step 4: Configure Attribute Mappings

IAM Identity Center passes user attributes to PlaidCloud in the SAML assertion. Configure attribute mappings so PlaidCloud receives the necessary user details.

1. On the application detail page, select the Attribute mappings tab.
2. Click Add new attribute mapping and add the following:

3. Click Save changes.

Group Membership (Optional)

IAM Identity Center does not natively pass group membership as a SAML attribute in the same way as other providers. If your PlaidCloud configuration requires group-based security role assignments, discuss the available options with PlaidCloud support. Common approaches include using the built-in directory with group assignments or syncing groups from an external identity source such as Active Directory.

Step 5: Assign Users and Groups to the Application

Only users and groups assigned to the application will be able to authenticate through this SSO configuration.

1. On the application detail page, select the Assign users and groups tab.
2. Click Assign users and groups.
3. Search for and select the users or groups that should have SSO access to PlaidCloud.
4. Click Assign users.

Testing the Integration

After PlaidCloud confirms the configuration is complete:

1. Navigate to your organization's PlaidCloud Workspace (e.g., https://my-workspace.plaid.cloud).
2. You will be redirected to the AWS IAM Identity Center sign-in page.
3. Sign in with your AWS IAM Identity Center credentials.
4. Upon successful authentication, you will be redirected back to PlaidCloud.

If you encounter errors, verify that:

• The ACS URL and SP Entity ID match exactly what PlaidCloud provided
• The user attempting to log in is assigned to the application in IAM Identity Center
• The Subject attribute is mapped to ${user:email} with the emailAddress format
• The Metadata URL you sent to PlaidCloud is accessible from PlaidCloud's servers

6.3 - Setting Up Google Workspace SAML for Single Sign-On

PlaidCloud supports Single Sign-On (SSO) via SAML 2.0. This guide walks through configuring Google Workspace as a SAML identity provider so your organization's users can authenticate through Google when accessing PlaidCloud.

Prerequisites

• A Google Workspace account (Business Starter or higher)
• A Google Workspace account with the Super Admin role
• Contact with PlaidCloud support to coordinate the setup and exchange configuration values

Overview

The setup process involves two parties exchanging SAML metadata:

1. You configure a custom SAML app in Google Workspace and provide PlaidCloud with your IdP Metadata URL.
2. PlaidCloud provides you with the Service Provider (SP) Entity ID and ACS URL (Assertion Consumer Service URL) needed to complete your Google Workspace configuration.

Coordinate with PlaidCloud support to obtain the SP values before completing Step 3 below.

Step 1: Create a Custom SAML App

1. Sign in to the Google Admin console as a Super Admin.
2. Navigate to Apps > Web and mobile apps.
3. Click Add app > Add custom SAML app.
4. Enter a name for the app (e.g., PlaidCloud SSO) and optionally add a description and icon.
5. Click Continue.

Step 2: Retrieve the IdP Metadata URL

On the Google Identity Provider details screen, Google displays the identity provider information needed by PlaidCloud.

1. Copy the SSO URL, Entity ID, and download the Certificate — or
2. Click Copy next to the IDP metadata URL (formatted as https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX).

Send this IdP Metadata URL to PlaidCloud support. This is the Entity Descriptor URL that PlaidCloud needs to configure the trust relationship on the identity provider side. Once PlaidCloud receives this URL, the team will complete the Keycloak configuration and notify you when SSO is ready to test.

3. Click Continue to proceed to the Service Provider configuration.

Step 3: Configure Service Provider Details

1. In the ACS URL field, enter the ACS URL provided by PlaidCloud.
2. In the Entity ID field, enter the SP Entity ID provided by PlaidCloud.
3. Leave Start URL blank unless PlaidCloud support instructs otherwise.
4. Set Name ID format to EMAIL.
5. Set Name ID to Basic Information > Primary email.
6. Click Continue.

Step 4: Configure Attribute Mapping

Google Workspace passes user attributes to PlaidCloud in the SAML assertion. At minimum, map the user's email address. If your PlaidCloud configuration uses group-based security role assignments, also map group membership.

Basic Attribute Mapping

Add the following attribute mappings on the Attribute mapping screen:

Click Add mapping to add each row.

Group Membership (Optional)

If you want PlaidCloud to automatically assign users to security groups based on their Google group membership:

1. Click Add mapping.
2. Under Google Directory attributes, select Group membership and choose the relevant Google Groups.
3. Set the App attribute name to groups (confirm the expected name with PlaidCloud support).

Click Finish.

Step 5: Enable the App for Users

By default, a new SAML app is disabled for all users. Enable it for the appropriate organizational units or groups.

1. On the app detail page, click User access.
2. Select the organizational unit or groups that should have SSO access to PlaidCloud.
3. Set the service status to ON.
4. Click Save.

Testing the Integration

After PlaidCloud confirms the configuration is complete:

1. Navigate to your organization's PlaidCloud Workspace (e.g., https://my-workspace.plaid.cloud).
2. You will be redirected to the Google sign-in page.
3. Sign in with your Google Workspace credentials.
4. Upon successful authentication, you will be redirected back to PlaidCloud.

If you encounter errors, verify that:

• The SP Entity ID and ACS URL match exactly what PlaidCloud provided
• The user attempting to log in belongs to an organizational unit or group with the app enabled
• The Name ID format is set to EMAIL and mapped to Primary email
• The IdP Metadata URL you sent to PlaidCloud is accessible

6.4 - Setting Up Microsoft Entra ID SAML for Single Sign-On

PlaidCloud supports Single Sign-On (SSO) via SAML 2.0. This guide walks through configuring Microsoft Entra ID (formerly Azure Active Directory) as a SAML identity provider so your organization's users can authenticate through Entra when accessing PlaidCloud.

Prerequisites

• An active Microsoft Entra ID (Azure AD) tenant
• An account with one of the following Entra roles: Global Administrator, Cloud Application Administrator, or Application Administrator
• Contact with PlaidCloud support to coordinate the setup and exchange configuration values

Overview

The setup process involves two parties exchanging SAML metadata:

1. You configure an Enterprise Application in Entra ID and provide PlaidCloud with your App Federation Metadata URL.
2. PlaidCloud provides you with the Service Provider (SP) Entity ID and Reply URL (Assertion Consumer Service URL) needed to complete your Entra configuration.

Coordinate with PlaidCloud support to obtain the SP values before completing Step 3 below.

Step 1: Create an Enterprise Application

1. Sign in to the Azure portal and navigate to Microsoft Entra ID.
2. In the left sidebar, select Enterprise Applications.
3. Click + New application.
4. Click + Create your own application.
5. Enter a name for the application (e.g., PlaidCloud SSO).
6. Select Integrate any other application you don't find in the gallery (Non-gallery).
7. Click Create.

Step 2: Enable SAML-Based Single Sign-On

1. After the application is created, select Single sign-on from the left sidebar under Manage.
2. On the "Select a single sign-on method" screen, click SAML.

Step 3: Configure Basic SAML Settings

1. In the Basic SAML Configuration section, click Edit.
2. In the Identifier (Entity ID) field, enter the SP Entity ID provided by PlaidCloud.
3. In the Reply URL (Assertion Consumer Service URL) field, enter the ACS URL provided by PlaidCloud.
4. Click Save.

Step 4: Configure Attributes and Claims

By default, Entra will pass the user's email address and name in the SAML assertion. If your PlaidCloud configuration uses security group assignments from SSO, you should also include group claims.

Add Group Claims

1. In the Attributes & Claims section, click Edit.
2. Click + Add a group claim.
3. Choose Groups assigned to the application (recommended to limit token size).
4. Under Source attribute, select an appropriate value:
   • Group ID — passes the Azure Object ID (UUID) of the group
   • Cloud-only group display names — passes the human-readable group name (for cloud-only groups)
   • sAMAccountName — passes the on-premises group name (for hybrid/synced environments)
5. Click Save.

Step 5: Assign Users and Groups to the Application

Only users and groups assigned to the Enterprise Application will be able to authenticate through this SSO configuration.

1. In the left sidebar, select Users and groups under Manage.
2. Click + Add user/group.
3. Select the users or groups that should have SSO access to PlaidCloud.
4. Click Assign.

Step 6: Retrieve and Send the App Federation Metadata URL

Once the application is configured, locate the Federation Metadata URL and send it to PlaidCloud so the integration can be completed.

1. Navigate to the Single sign-on page for your Enterprise Application.
2. Scroll to the SAML Certificates section.
3. Copy the App Federation Metadata URL.

Send this URL to PlaidCloud support. This is the Entity Descriptor URL that PlaidCloud needs to configure the trust relationship on the identity provider side. Once PlaidCloud receives this URL, the team will complete the Keycloak configuration and notify you when SSO is ready to test.

Testing the Integration

After PlaidCloud confirms the configuration is complete:

1. Navigate to your organization's PlaidCloud Workspace (e.g., https://my-workspace.plaid.cloud).
2. You will be redirected to the Microsoft login page.
3. Sign in with your Entra ID credentials.
4. Upon successful authentication, you will be redirected back to PlaidCloud.

If you encounter errors, verify that:

• The SP Entity ID and Reply URL match exactly what PlaidCloud provided
• The user attempting to log in is assigned to the Enterprise Application
• The App Federation Metadata URL you sent to PlaidCloud is accessible (not blocked by a firewall or conditional access policy)

6.5 - Setting Up Okta SAML for Single Sign-On

PlaidCloud supports Single Sign-On (SSO) via SAML 2.0. This guide walks through configuring Okta as a SAML identity provider so your organization's users can authenticate through Okta when accessing PlaidCloud.

Prerequisites

• An Okta account with the Administrator role (Super Admin or Org Admin)
• Contact with PlaidCloud support to coordinate the setup and exchange configuration values

Overview

The setup process involves two parties exchanging SAML metadata:

1. You configure a SAML application in Okta and provide PlaidCloud with your Identity Provider Metadata URL.
2. PlaidCloud provides you with the Service Provider (SP) Entity ID and Single Sign-On URL (ACS URL) needed to complete your Okta application configuration.

Coordinate with PlaidCloud support to obtain the SP values before completing Step 3 below.

Step 1: Create a New SAML Application

1. Sign in to the Okta Admin console.
2. In the left sidebar, navigate to Applications > Applications.
3. Click Create App Integration.
4. Select SAML 2.0 as the sign-in method.
5. Click Next.
6. Enter a name for the application (e.g., PlaidCloud SSO) and optionally upload a logo.
7. Click Next.

Step 2: Configure SAML Settings

1. In the Single sign-on URL field, enter the ACS URL provided by PlaidCloud.
2. In the Audience URI (SP Entity ID) field, enter the SP Entity ID provided by PlaidCloud.
3. Leave Default RelayState blank unless PlaidCloud support instructs otherwise.
4. Set Name ID format to EmailAddress.
5. Set Application username to Email.
6. Click Next.

Step 3: Configure Attribute Statements

On the same SAML settings screen, add attribute statements so that PlaidCloud receives user details in the SAML assertion.

User Attributes

In the Attribute Statements section, add the following:

Group Attributes (Optional)

If your PlaidCloud configuration uses group-based security role assignments, add a group attribute statement so group membership is passed in the assertion.

In the Group Attribute Statements section, add the following:

Click Next, then select I'm an Okta customer adding an internal app and click Finish.

Step 4: Retrieve and Send the Identity Provider Metadata URL

Once the application is created, locate the metadata URL and send it to PlaidCloud so the integration can be completed.

1. On the application detail page, select the Sign On tab.
2. Scroll to the SAML 2.0 section and click More details.
3. Copy the Metadata URL (formatted as https://your-org.okta.com/app/your-app-id/sso/saml/metadata).

Send this Metadata URL to PlaidCloud support. This is the Entity Descriptor URL that PlaidCloud needs to configure the trust relationship on the identity provider side. Once PlaidCloud receives this URL, the team will complete the Keycloak configuration and notify you when SSO is ready to test.

Step 5: Assign Users and Groups to the Application

Only users and groups assigned to the application will be able to authenticate through this SSO configuration.

1. On the application detail page, select the Assignments tab.
2. Click Assign and choose either Assign to People or Assign to Groups.
3. Select the users or groups that should have SSO access to PlaidCloud and click Assign.
4. Click Done.

Testing the Integration

After PlaidCloud confirms the configuration is complete:

1. Navigate to your organization's PlaidCloud Workspace (e.g., https://my-workspace.plaid.cloud).
2. You will be redirected to the Okta sign-in page.
3. Sign in with your Okta credentials.
4. Upon successful authentication, you will be redirected back to PlaidCloud.

If you encounter errors, verify that:

• The ACS URL and SP Entity ID match exactly what PlaidCloud provided
• The user attempting to log in is assigned to the application in Okta
• The Name ID format is set to EmailAddress and the application username is set to Email
• The Metadata URL you sent to PlaidCloud is accessible

6.6 - Manage Organization Administrators

Organizations in PlaidCloud provide a top level area to control options such as single sign-on and member access capabilities. Organizations each contain at least one workspace, which allows workspaces to serve as the main level of tenant separation within PlaidCloud. A workspace helps to align teams with specific areas of interest and isolate access as appropriate. PlaidCloud allows Organizations to have an unlimited number of workspaces.

Managing Organization Administrators

Each Organization in PlaidCloud can assign multiple administrators. Administrators have special privileges to control the Organization. They can do things such as manage billing, update access management, and perform workspace management. To manage administrators:

1. Select the “Organization Settings” menu from the top right of screen
2. Click “Administrators”

This will display the table of current administrators. After the table opens, you may add new administrators, delete existing administrators, or alter administrative privileges.

Adding an Administrator

To add an administrator:

1. Select the “Organization Settings” menu from the top right of screen
2. Click “Administrators”
3. Click the “Add Organization Administrator” button
4. Complete the required fields
5. Click “Add as Administrator”

Deleting an Administrator

To delete an administrator:

1. Select the “Organization Settings” menu from the top right of screen
2. Click “Administrators”
3. Click the delete icon of the desired administrator
4. Confirm and click “Delete as Administrator”

6.7 - Managing Single Sign-On for Organization

Each Organization can have a custom url (https://plaidcloud.com/sso/<custom_name_here>) for members to access the single sign-on page you specified in the configuration.

To create a custom URL:

1. Select the “Organization Settings” menu from the top right of screen
2. Click “Single Sign-On Security Credentials”
3. Adjust the Single Sign-On URL as desired
4. Click “Update Organization SSO Settings”

Allow Creation of Users Automatically

If Single Sign-On is enabled, you can choose to automatically create members based on successful Single Sign-On authentication. New members will receive the default workspace and security roles specified in the Organization settings. To automatically create members:

1. Select the “Organization Settings” menu from the top right of screen
2. Click “Organization and User Settings”
3. Check the “Create Users Automatically from Single Sign-On” box
4. Choose the desired default workspace

Use of this feature greatly simplifies member management because new members will automatically have access without any additional setup in PlaidCloud. Similarly, if members are removed from the Single Sign-On facility, they will no longer have access to PlaidCloud.

Allow Security Group Assignments from Single Sign-On

If Single Sign-On is enabled, you can choose to pass a group association list along with the positive authentication message. The list’s items will be used to assign a member to the specified groups and remove them from any not specified. This is an effective way to manage security group assignments by using a central user management service such as Active Directory or other LDAP service.

If this option is enabled, security roles will be assigned using the supplied list the next time a member signs in. If the option is disabled, existing members will retain their current security roles until manually updated within PlaidCloud.

6.8 - Setting Member Expiration Period

If retaining inactive members within PlaidCloud is not desired, members can be set for automatic removal from the Organization after a specified period of inactivity using the expiration capabilities PlaidCloud offers. This automated removal of dormant members can be set as short as one day, if desired.

To set expiration of members:

1. Select the “Organization Settings” menu from the top right of screen
2. Click “Organization and User Settings”
3. Set the desired number of days until expiration
4. Click Update