Skip to main content

SSO setup

Fredrik Teir avatar
Written by Fredrik Teir
Updated this week

SSO (Single Sign-On) allows users to log into Bezala using their organization's identity provider credentials. SSO setup is configured at the company level.

Supported Identity Providers

Bezala supports three SSO providers:

  • Microsoft (Azure AD): Login using Microsoft credentials

  • Google Workspace: Login using Google account

  • Okta: Enterprise identity management

How to Log In with SSO

Microsoft SSO:

  1. On the Bezala login page, click Sign in with Microsoft

  2. You will be redirected to Microsoft login

  3. Enter your company Microsoft account credentials

  4. Bezala matches your Microsoft User Principal Name (UPN) or email to your Bezala account

Google SSO:

  1. On the Bezala login page, click Sign in with Google

  2. Sign in with your Google Workspace account

  3. Your Google email must match the email registered in your Bezala account

Okta SSO:

  1. Access Bezala through your Okta dashboard by clicking the Bezala app tile

  2. Or go directly to app.bezala.com and click Sign in with Okta

  3. Enter your company Okta credentials when prompted

  4. Your Okta admin must have configured the Bezala integration first

Microsoft Login Behavior (Technical)

  • Primary login method: User Principal Name (UPN)

  • Fallback: If UPN doesn't match a Bezala user and the domain in the UPN matches the company's allowed domain setting, the Mail field is used for login

  • Domain restriction: Company can restrict login to users from a specific email domain

Mobile App SSO

The Bezala mobile app supports Microsoft, Google, and Okta SSO:

  1. Open the app

  2. Enter your email

  3. Tap the appropriate Sign in with button

  4. The app will redirect you to complete authentication with your identity provider

Self Sign-Up with SSO

Companies can enable self sign-up to allow new users to register:

  • Administrator copies the self sign-up link from Company Settings > Basic Settings

  • New users can register without admin intervention

SSO Exemptions

If a user needs to bypass SSO and log in with email/password instead (ex API user or non-employed person), the company admin can grant an SSO exemption:

  1. Go to Company Settings > Users

  2. Search for user and click the edit pen on the user's row.

  3. Unclick Enforce SSO option (located as a checkbox under language preferences).

  4. Save changes

The user can then log in with their email and password even if SSO is enforced company-wide.

FAQ

Q: How do I enable SSO for my company?

A: The SSO setup has to be done by your IT department. If you are using Microsoft Entra or Google SSO then the easiest way is to ask your IT manager to login from app.bezala.com and follow the instructions.

Q: I see "Need admin approval" when trying to sign in with Microsoft. What should I do?

A: This message appears when your organization's Microsoft Entra ID (Azure AD) requires an administrator to approve Bezala before users can sign in.

If you are a user: Click "Have an admin account? Sign in with that account" on the prompt, or contact your IT administrator and ask them to approve the Bezala app for your organization.

If you are an IT administrator: You can grant consent in one of these ways:

  1. Click "Have an admin account? Sign in with that account" on the approval prompt and sign in with your admin credentials

  2. Go to Microsoft Entra admin center > Enterprise applications > Search for "Bezala Production" > Permissions > Grant admin consent

After admin consent is granted, all users in your organization can sign in with Microsoft SSO.

Q: Microsoft SSO is not working for me. What should I check?

A: Bezala matches your Microsoft User Principal Name (UPN) first. If your UPN differs from your email, login may fail. Verify with your IT admin that your Microsoft UPN or email domain matches what is configured in Bezala. Your company may have a specific domain allowlist configured.

Q: My company enforces SSO but I need to log in with email and password.

A: Ask your company admin to grant you an SSO exemption. They can do this by editing your user profile in Company Settings > Users and enabling the SSO exemption option. No support contact is required.

Q: My SSO login worked before but stopped working. What happened?

A: Common causes include: your company changed SSO settings, your email changed in the identity provider, your Bezala account email does not match your SSO email, or your company IT changed domain configurations. Contact your company admin or IT department to verify settings.

Q: Can multiple identity providers be used?

A: Yes, you can use multiple

Q: How do I get the self sign-up link?

A: A person with a Manager role in the company's Bezala environment can go to Company Settings > Basic Settings. Look for Self sign-up settings and use the Copy self sign-up link button.

Q: Why can't I change a user's login email/my login email?

A: There are two reasons why editing a user's email might be prohibited:

  1. "Enforce SSO authentication" is on. This check box is not visible in the user's profile.

    1. If user wants to change email, a person with a Manager role in Company's Bezala environment can change these SSO settings.

    2. Go to edit page of user and unclick check box (located below language) and click Save.

  2. User has access to several Bezala environments:

    1. Only the user can change email in their own profile settings (requires unchecked SSO box).

Related Articles
Basic settings
Okta sign in Configuration Guide
Forgotten password and errors on login
Login to Bezala for the first time
Help guide for new users in Bezala
Did this answer your question?