Organization Admin Guide
A comprehensive guide for organization administrators to configure, secure, and manage your PlanningForge workspace.
Admin Quick Reference
Security Settings
- → MFA Enforcement
- → Session Timeouts
- → SSO Configuration
User Management
- → Invite Users
- → Assign Roles
- → Manage Teams
Organization Setup
- → Basic Information
- → Integrations
- → Billing & Plans
In This Guide
Accessing Admin Settings
Required Permissions
You must have the Owner or Administrator role to access and modify organization settings.
How to Access Organization Settings
- Click your organization name in the top navigation bar
- Select Organization Settings from the dropdown menu
- You'll see tabs for: General, Users, Teams, Security, SAML SSO, OIDC SSO, and Integrations
Security Settings
The Security tab contains all organization-wide security policies. These settings apply to all members when they're working within your organization.
Multi-Factor Authentication (MFA) Enforcement
What is MFA Enforcement?
When enabled, all users must set up two-factor authentication (2FA) before they can access your organization. This adds an extra layer of security by requiring both a password and a time-based code from an authenticator app.
Recommendation: We strongly recommend enabling MFA enforcement for all organizations, especially those handling sensitive data.
How to Enable MFA Enforcement
- Navigate to Organization Settings → Security tab
- Check the box for "Require two-factor authentication for all users"
- Click Save Security Settings
- Existing users will be prompted to set up MFA on their next login
- New users must set up MFA during onboarding
MFA Enforcement Behavior
-
Password Users: Required to enable MFA before accessing the organization
-
SSO Users: Automatically exempted (MFA is handled by your identity provider)
-
Organization Switching: MFA required when switching to your org from another
-
Recovery Codes: 8 single-use codes generated for emergency access
Session Management
What are Session Timeouts?
Session timeouts automatically log users out after a period of inactivity or after a maximum session duration. This prevents unauthorized access if a user leaves their computer unattended.
Two Types of Timeouts
Idle Timeout
User is logged out after a period of inactivity (no clicks, no requests).
Default: 30 minutes
Range: 5-1440 minutes (1 min - 24 hours)
Absolute Timeout
Maximum session duration regardless of activity. User must re-login.
Default: 8 hours (480 minutes)
Range: 60-1440 minutes (1 hour - 24 hours)
How to Configure Session Timeouts
- Navigate to Organization Settings → Security tab
- Find the "Session Timeouts" section
- Enter Idle Timeout in minutes (or leave blank for default)
- Enter Absolute Timeout in minutes (or leave blank for default)
- Click Save Security Settings
Recommended Timeout Values
| Security Level | Idle Timeout | Absolute Timeout | Use Case |
|---|---|---|---|
| High Security | 15 minutes | 2 hours (120 min) | Financial, healthcare, sensitive data |
| Standard Security | 30 minutes | 8 hours (480 min) | Most organizations (default) |
| Relaxed | 60 minutes | 24 hours (1440 min) | Internal tools, low-risk environments |
SSO Configuration
Single Sign-On (SSO) allows your users to authenticate using your organization's identity provider. PlanningForge supports both SAML 2.0 and OpenID Connect (OIDC).
SAML 2.0
Enterprise SSO protocol supported by most identity providers.
- Okta, Azure AD, OneLogin, Google Workspace
- Automatic user provisioning with SCIM
- Domain-based SSO enforcement
OIDC (OpenID Connect)
Modern authentication protocol built on OAuth 2.0.
- Auth0, Okta, Azure AD, Keycloak
- Simple configuration with issuer URL
- Automatic user provisioning
SSO and MFA
When SSO is configured and enforced, users authenticating via your identity provider are automatically exempted from PlanningForge's MFA requirement. Your IdP handles MFA for those users.
User Management
Organization Roles
Owner
Full control including billing and ownership transfer
Administrator
Manage settings, users, and teams
Billing Manager
Access billing and subscriptions only
Member
Standard user access to assigned teams
Adding Users
Via Email Invitation
- Go to Organization Settings → Users
- Click Invite User
- Enter email address
- Select organization role
- Optionally add to teams
- Click Send Invitation
Via SSO (Automatic Provisioning)
-
Users automatically created when they sign in via SAML/OIDC
-
Requires SSO configuration with auto-provisioning enabled
-
SCIM support for advanced user lifecycle management
Team Setup
Teams are groups of users who work together on planning sessions and retrospectives. Each team can have different members and permissions.
Creating a Team
- Go to Organization Settings → Teams
- Click Create Team
- Enter team name and description
- Add team members (users must be in the organization first)
- Assign team roles (Owner, Moderator, Member)
- Click Create Team
Team Roles
Team Owner
Full team management, can create sessions and retrospectives, manage members
Moderator
Can create and run sessions/retrospectives, cannot manage team members
Member
Can participate in planning sessions and retrospectives
Integrations
Jira Integration
Connect to Jira to import stories and export estimates automatically.
- Import stories from Jira sprints
- Export estimates back to Jira
- Bidirectional sync
API Access
Use the PlanningForge API to build custom integrations.
- RESTful API endpoints
- API key authentication
- Webhooks for events
Admin Best Practices
Security
- ✓ Enable MFA enforcement for all organizations
- ✓ Set appropriate session timeouts based on data sensitivity
- ✓ Review user access quarterly
- ✓ Use SSO when available
- ✓ Enable SCIM for automated user provisioning/deprovisioning
User Management
- ✓ Assign roles based on principle of least privilege
- ✓ Create teams before inviting users
- ✓ Use descriptive team names
- ✓ Document team purposes and ownership
- ✓ Offboard users promptly when they leave
Monitoring
- ✓ Review audit logs regularly
- ✓ Monitor failed login attempts
- ✓ Check for inactive users monthly
- ✓ Track MFA adoption rates
- ✓ Review session timeout logs for user feedback
Communication
- ✓ Notify users before enabling MFA enforcement
- ✓ Announce session timeout changes in advance
- ✓ Provide MFA setup instructions to users
- ✓ Create internal documentation for your org
- ✓ Designate backup admins
Common Admin Issues
Users Can't Login After Enabling MFA
Issue: Users are blocked from logging in after MFA enforcement is enabled.
Solution:
- Users must set up MFA from their profile page before the enforcement takes effect
- Provide users with setup instructions before enabling enforcement
- Users can access /profile to set up MFA even with enforcement enabled
- Recovery codes can be used if authenticator app is unavailable
Session Timeouts Too Aggressive
Issue: Users are being logged out too frequently.
Solution:
- Increase idle timeout if users are active but getting logged out
- Increase absolute timeout if users need longer work sessions
- Balance security needs with user experience
- Consider 30min idle / 8hr absolute for most organizations
SSO Users Being Asked for MFA
Issue: Users authenticating via SSO are still prompted for PlanningForge MFA.
Solution:
- Verify SSO is properly configured and enabled
- Check that user's email domain matches SSO domain settings
- Ensure "Enforce SSO" is enabled if you want to require SSO for all users
- SSO users are automatically exempted from MFA when authenticating via IdP
Account Locked - Can't Access
Issue: User account is locked after failed login attempts.
Solution:
- Account automatically unlocks after 15 minutes
- Admins cannot manually unlock accounts (for security)
- User can use password reset if they've forgotten their password
- SSO users should authenticate via IdP to bypass password login
Need Admin Support?
Our support team is here to help you configure and manage your organization.