PlanetScale SSO: Enterprise Single Sign-On Setup (2026)

PlanetScale’s SSO implementation is a little more flexible than you might expect, allowing you to use either SAML or OIDC, but the real trick is understanding how PlanetScale validates the identity provider’s responses.

Let’s walk through setting up a typical OIDC flow with Google Workspace as the IdP.

First, on the Google Workspace side, you’ll need to create a new "SAML app" (even though we’re using OIDC, Google’s UI bundles it this way) or a custom OIDC app. Let’s assume you’re creating a custom OIDC app for clarity.

Google Workspace OIDC App Configuration:

1. App Name: PlanetScale SSO
2. Application Type: OIDC
3. Authorized redirect URIs: This is crucial. You’ll get this from PlanetScale’s SSO settings page after you’ve initiated the setup there. It will look something like https://auth.planetscale.com/oauth/callback.
4. Scopes: You’ll need openid, email, and profile.
5. User Access: Assign users or groups who should have access to PlanetScale.

Once you save this in Google Workspace, you’ll be presented with your Client ID and Client Secret. You’ll also need the Issuer URL (e.g., https://accounts.google.com for Google’s standard OIDC provider) and the Authorization Endpoint and Token Endpoint URLs. You can usually find these on Google’s OIDC discovery endpoint: https://accounts.google.com/.well-known/openid-configuration.

PlanetScale SSO Setup:

1. Navigate to Organization Settings > SSO in your PlanetScale dashboard.
2. Select OpenID Connect (OIDC) as your provider type.
3. Provider Name: Google (or whatever you like).
4. Client ID: Paste the Client ID from Google Workspace.
5. Client Secret: Paste the Client Secret from Google Workspace.
6. Issuer URL: Enter the Google Issuer URL (e.g., https://accounts.google.com).
7. Authorization Endpoint: Enter the Google Authorization Endpoint URL.
8. Token Endpoint: Enter the Google Token Endpoint URL.
9. Redirect URI: This is the URI you’ll need to copy from PlanetScale and paste back into your Google Workspace OIDC app configuration.

After saving these settings in PlanetScale, it will generate a Redirect URI. You must go back to your Google Workspace OIDC app and add this exact URI to the "Authorized redirect URIs" list. If you don’t, the OIDC flow will fail with an authorization error.

Now, when a user tries to log in to PlanetScale via SSO, they’ll be redirected to Google. After authenticating with Google, they’ll be redirected back to PlanetScale using the configured Redirect URI. PlanetScale then uses the Client ID, Client Secret, and the OIDC endpoints to exchange the authorization code for an access token and ID token, which it uses to verify the user’s identity.

The most common point of failure here isn’t the credentials, but the redirect URI mismatch. PlanetScale expects to be able to redirect back to a specific URI that you’ve pre-authorized in your Identity Provider. If that URI isn’t an exact match (including trailing slashes, case sensitivity, etc.), the IdP will reject the callback, and PlanetScale won’t be able to complete the login.

The second most common issue is incorrect scopes. If openid, email, or profile are not requested or granted, PlanetScale won’t receive the necessary user information to log them in.

Finally, ensure your Issuer URL is correct and points to the discovery document of your IdP. PlanetScale uses this to fetch the correct endpoints and public keys for token validation.

Once your SSO is set up and working, the next thing you’ll likely encounter is managing Just-In-Time (JIT) provisioning and how that interacts with user roles and permissions within PlanetScale.