belsimple supports Single Sign-On (SSO) via Microsoft and Google. SSO lets your team log in with their existing corporate accounts instead of a separate belsimple password.
Setting up SSO
- Go to SSO settings.
- Choose Microsoft or Google (or both).
- Enter your identity provider’s details:
- Client ID and Client secret — from your provider’s app registration.
- Microsoft: optionally enter your Entra ID tenant ID to restrict login to your organisation’s directory only.
- Google: optionally enter your Workspace domain (e.g.,
company.com) to restrict login to your domain only. - Custom issuer URL — leave blank for standard Microsoft or Google. Set this only if you use a non-standard OIDC provider (e.g., Okta, Auth0, or a self-hosted IdP).
- Save the configuration.
SSO and password login
- SSO and password login can coexist. Users can log in with either method.
- You can enable SSO-only mode, which disables password login for your tenant. In this mode, new invitations activate accounts without setting a password, and users are directed to SSO.
- Users must still be invited before they can log in via SSO — there is no self-registration.
Microsoft SSO specifics
If you provide an Entra ID tenant ID, only accounts from that specific Microsoft directory are accepted. Personal Microsoft accounts and accounts from other organisations will be rejected. If you leave this blank, any Microsoft account can log in (as long as they have an invitation).
Google SSO specifics
If you provide a Workspace domain, only Google accounts from that domain are accepted. If you leave this blank, any Google account can log in (as long as they have an invitation).
Security note
Client secrets are encrypted at rest using AES-256-GCM. Nobody can view your SSO client secrets after they’ve been saved.