Once a team decides to enable SSO, they should first navigate to the SSO setup page. They can directly navigate to https://dashboard.plaid.com/settings/team/sso, or they can navigate to the page using the Sidebar (Settings > Team Settings > SSO).
Once on the page, the team should then click the button to open WorkOS, which takes them to the Admin Portal. If this is the first time the team is opening Admin Portal, a modal with a form will appear; the team should provide the domains which they own and for which they would like to enable SSO. For example, if they have emails of the form john.doe@example.com, they would specify the domain “example.com”. Note that the team will not be able to adjust, edit, or delete these domains after this point, so they should make sure that these are correct.
After opening Admin Portal, the team should then complete the provided SSO setup instructions. These instructions are provided directly on the Admin Portal page. There should be detailed and specific steps for connecting with different identity providers, but there are also detailed steps for setting up Custom SAML/OIDC. It is recommended that on the first step of the setup process, the team chooses their Identity Provider to receive more-specific setup instructions, rather than choosing Custom SAML.
At the end, the team may be prompted to test their connection once the setup steps are performed - they should click the button to perform the test, and go through the SSO login process. The connection is not complete until a successful test is complete.
After this is done, they can navigate back to the Dashboard SSO page, where per-domain settings can be edited by clicking the “Edit” button for a specific domain. To fully turn on SSO, the per-domain settings should be “Mandatory” or “Mandatory (Optional for admins)”.