Articles on: Get started

Enterprise workflows: SSO, governance and running SimplyPrint at scale

Enterprise workflows: SSO, governance and running SimplyPrint at scale


Once SimplyPrint is in front of a whole organisation - several teams, several sites, an IT department that has to sign off on it - the questions change. It stops being "how do I start a print" and becomes "how do people sign in, who is allowed to do what, where does the data live, and what does IT need to review before we roll this out". This article walks the governance and IT-review workflow for the Enterprise plan, and deep-links each control to the article that explains the mechanics.


A useful question to orient yourself first: are you producing for customers, building internal tooling, or both? It does not branch into different products - SimplyPrint is the same platform either way - but it tells you which governance controls matter most. A service bureau printing for outside clients leans on the audit log, the DPA and access restrictions. An internal R&D or manufacturing operation leans on SSO, user groups and quotas. Most large deployments are a mix, and the controls below cover both.


The Enterprise plan is SimplyPrint's top business tier. It includes everything in Print Farm, plus the governance, security and support features in this article: SSO, a company audit log with export, an IP allow-list, enforced two-factor authentication, usage policies, an in-product DPA, an uptime SLA, and white-glove support. It includes 10 printers and 10 user seats by default and is expandable for larger deployments. Some of these controls (SSO, IP allow-list, audit log, DPA, usage policies, queue approval, temporary access) are shared with the School plan; the Enterprise-only additions are noted as they come up.


Organisation registration and SSO settings page showing SAML single sign-on configuration with email-domain mapping


Table of contents


Single sign-on (SSO)

For most organisations SSO is the first thing IT asks about, because it decides how everyone signs in and how accounts get created and removed. SimplyPrint runs SSO over either OIDC or SAML. You map your identity provider's groups to SimplyPrint user groups, so a member who signs in lands in the right group automatically with the right permissions - no manual seat assignment.


Your account runs a single SSO method at a time, SAML or OIDC, never both. Switching between them keeps the other method's saved configuration, so you can set one up and try it without losing the other.


The OIDC route uses the standard authorization-code flow and maps the provider's groups claim to your SimplyPrint groups. The SAML route does the same kind of group mapping and adds teacher mapping for education accounts. Pick whichever your identity provider speaks most naturally - both end up in the same place. The setup details, including provider-specific guides, live in the OIDC single sign-on article and the SAML single sign-on and group mapping article.


Verify your email domain before you flip SSO on for everyone. Verifying a domain via a DNS TXT record lets members sign in by typing their work email (the system routes them to your SSO automatically), and lets new accounts be created safely on first sign-in instead of being invited one by one. Public mailbox domains like gmail.com are blocked, and a domain can belong to one account. The walkthrough is in Verify your email domains for single sign-on.


User groups and permissions

Every member belongs to a user group, and each group is a named bundle of permissions. Enterprise's default groups are Administrator, Manager, Engineer and Member, and you can rename them or add your own. When you map identity-provider groups to these, the whole "who can do what" question is answered by your existing directory.


The permission set itself is large and granular, organised into categories: printing, the print queue, the slicer, courses, the filament system, maintenance, users, and organisation management. That granularity is the point - you can let a group see the Printers page without letting them start prints, let a team manage the queue without touching billing, or give a contractor read-only visibility. The full breakdown of what each permission controls is in User groups and permissions.


The user groups and permissions page, where each group is a named bundle of permissions


Setting up a large account by hand is slow. You can bulk-create members from a CSV or directory export rather than inviting one at a time - see Importing users from a CSV or directory export. With SSO and a verified domain in place, much of this happens automatically on first sign-in instead.


The audit log

Enterprise includes a company audit log - a record of who did what across the account, which is exactly what an internal review or an outside auditor will ask for. On Enterprise you can also export it (CSV or JSON) to hand off or archive. The audit log is shared with the School plan, but export is Enterprise-only.


Data and security audit log showing recorded actions, users, timestamps and an Export button


Viewing the log is itself a permission, so you can decide which groups can read it. There is no standalone audit-log article; the "View audit log" capability and where it sits is covered in User groups and permissions.


Access restrictions: IP allow-list and enforced 2FA

Access restrictions are built from two independent blocks, and this is the part IT tends to scrutinise most, so it is worth understanding how they combine.


The first block is an IP allow-list: restrict panel access to specific IP addresses or CIDR ranges, with per-block-level control over what is withheld when someone is off-network. The second block is an approved-device requirement. You choose how they combine - either passing one of them is enough (the default "allowed IP or approved device"), or both are required ("allowed IP and approved device").


Data and security access settings showing enforced two-factor authentication and a configured IP allow-list


The account owner is always exempt from access restrictions, so you cannot lock the owner out. You can also exempt individual user groups from the IP check and the device check independently - useful for a remote admin who legitimately signs in from anywhere.


On Enterprise you can also require two-factor authentication for every member. Enforced 2FA is Enterprise-only (not School), and as with access restrictions the account owner is always exempt so turning it on can never lock the owner out.


Two honest caveats your IT team should know before relying on these. An IP allow-list matches the public IP a request arrives from, so a site behind a single shared public IP cannot isolate one room by IP, and a VPN will change the IP it sees. And "approve this device" is bound to one browser plus OS login, not the physical machine - a shared computer with several per-user logins reads as several unapproved devices. The technical reference, including these trade-offs, is in Approved devices and IP restrictions, explained, and the panel-side how-to is in Require 2FA and restrict panel access by IP.


Usage policies and quotas

If you need to bound what people can consume - print count, material, cost, slices or print time - Enterprise includes usage policies. You set per-group quotas plus fixed limits like maximum queue items or simultaneous printers, so a team or a project cannot quietly run away with the fleet. Usage policies are shared with the School plan; both are gated by the same feature, so anything written about quotas for schools applies here too. The full set of quota types is in The quotas and limits feature.


Two related governance tools come along for the ride on Enterprise. Queue approval lets you review and approve prints before they run - mostly a classroom and gatekeeping tool, but available here if you want a sign-off step in front of the fleet. And temporary access grants a member timed membership that auto-expires, which is the clean way to bring in a contractor or an auditor without remembering to remove them later (see Give a member temporary access).


The DPA, the SLA and what IT will review

For a procurement or security review, two documents usually matter. Enterprise can sign a Data Processing Agreement (DPA) directly inside the product - no back-and-forth PDF. And Enterprise comes with an uptime SLA, the public version of which lives at simplyprint.io/legal/sla. What the DPA covers and how to sign it is in The Data Processing Agreement (DPA): what it is and how to sign it.


Data and security overview with a security status checklist


When IT reviews SimplyPrint before rollout, the Data and security area is the place to start. A typical pre-rollout checklist looks like this:

  • Identity: SSO over OIDC or SAML, your domain verified, identity-provider groups mapped to user groups
  • Access: the IP allow-list and approved-device rules configured, the ANY-or-ALL combine mode chosen, group exemptions reviewed
  • Authentication: enforced 2FA turned on (owner stays exempt)
  • Accountability: the audit log enabled, export tested, the "view audit log" permission scoped
  • Limits: usage policies set per group if you cap consumption
  • Paperwork: the DPA signed in-product, the SLA reviewed


If your review needs a signed DPA, custom contract terms or anything procurement-related, email legal@simplyprint.io.


White-glove support

Enterprise includes white-glove support, which for a large rollout often matters as much as any single feature. You get a dedicated support agent, priority support, phone support, and a shared Slack Connect channel with the SimplyPrint team. That means a named person who knows your deployment and a fast channel when something is urgent, rather than starting from scratch each time. (To be precise, this is support, not a separate onboarding product - the dedicated contact will help you get set up, but it is the support stack that is the feature.)


Running multiple locations

A lot of enterprise reality is several physical sites, and SimplyPrint handles that with multi-location workspaces. You can hold several fully separate locations under one login and switch between them in one click from the top-right account switcher, without signing out. Each location is its own workspace with its own subscription, printers, queue, filament inventory, users, country and currency. Additional locations bill immediately and can each be on Pro, Print Farm, School or Enterprise, so a small satellite site does not have to match headquarters.


One thing to plan for: SSO configuration and the verified email domain are never copied to a new location. Each location sets up its own SSO and verifies its own domain. That is deliberate (every site can run its own identity setup), but it means adding a location is not a one-click clone of your governance settings - budget the setup time per site. The full behaviour is in Running multiple locations on one SimplyPrint login.


Enterprise is self-serve, so you can sign up and configure all of this yourself. For a larger or bespoke deployment - lots of sites, a procurement process, custom terms - the faster path is to book a demo and let a dedicated contact help shape the rollout.



Updated on: 25/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!