Introduction
Bland supports both OIDC (OpenID Connect) and SAML 2.0 based Single Sign-On (SSO) for enterprise workspaces. This enables your users to authenticate with their existing identity provider (IdP) — such as Okta, Azure Active Directory, Google Workspace, Auth0, or any SAML 2.0 compatible provider — instead of managing separate Bland credentials. Once connected, users from your domain can log in with Sign in with SSO, and new users will be provisioned automatically into your workspace.Prerequisites
Before configuring SSO, ensure you have:- Admin access to your Bland organization
- Admin access to your identity provider (IdP)
- Your organization’s verified email domain (e.g.,
company.com
) - For SAML: Understanding of X.509 certificates and metadata
- For OIDC: Ability to create OAuth 2.0 applications
Quick Start
Choose Your Protocol
Plan Your Provider ID
company-okta
or company-saml
). This will be used in all your URLs.
You can customize this or let Bland auto-generate it from your domain.Create Provider in Bland
Configure Your IdP
Test Connection
Okta Configuration
Okta OIDC Setup
Step 1: Create OIDC Application
Step 1: Create OIDC Application
- Sign in to Okta Admin Console
- Go to Applications → Applications
- Click Create App Integration
- Select OIDC - OpenID Connect as the Sign-in method
- Select Web Application as the Application type
- Click Next
Step 2: Configure Application
Step 2: Configure Application
- App integration name:
Bland SSO
- Logo: (Optional) Upload your company logo
- ✅ Authorization Code
- ✅ Refresh Token (recommended)
- ❌ Implicit (not recommended)
[provider-id]
with your chosen Provider ID (e.g., company-okta
)- Allow everyone in your organization to access (recommended for company-wide SSO)
- Limit access to selected groups (if you want to control access)
Step 3: Configure Claims (Optional)
Step 3: Configure Claims (Optional)
- Go to Sign On tab → OpenID Connect ID Token → Edit
- Click Add Claim
- Configure:
- Name:
groups
- Include in: ID Token, Access Token
- Value type: Groups
- Filter:
.*
(for all groups) - Include in: Any scope
- Name:
- Click Create
Step 4: Get Configuration Details
Step 4: Get Configuration Details
- Issuer:
https://[your-okta-domain].okta.com
- Client ID: The long alphanumeric string
- Client Secret: Click the eye icon to reveal
Step 5: Configure in Bland
Step 5: Configure in Bland
- Go to Settings → SSO → Add Provider
- Select OIDC (OpenID Connect) as Provider Type
- Enter:
- Provider ID: Your chosen ID (e.g.,
company-okta
) or leave blank to auto-generate - Email Domain:
company.com
- Issuer URL: From Okta (e.g.,
https://dev-12345.okta.com
) - Client ID: From Okta
- Client Secret: From Okta
- Provider ID: Your chosen ID (e.g.,
- Optional: Configure scopes (defaults to
openid email profile
) - Optional: Enable PKCE for enhanced security (recommended)
- Click Add Provider
Okta SAML Setup
Step 1: Create SAML Application
Step 1: Create SAML Application
- In Okta Admin, go to Applications → Applications
- Click Create App Integration
- Select SAML 2.0 as the Sign-in method
- Click Next
- Enter App name:
Bland SSO
- Click Next
Step 2: Configure SAML
Step 2: Configure SAML
- Single sign-on URL:
- ✅ Use this for Recipient URL and Destination URL
- Audience URI (SP Entity ID):
- Name ID format:
EmailAddress
- Application username:
Email
Step 3: Configure Attributes
Step 3: Configure Attributes
Name | Name Format | Value |
---|---|---|
Unspecified | user.email | |
firstName | Unspecified | user.firstName |
lastName | Unspecified | user.lastName |
name | Unspecified | user.displayName |
Name | Name Format | Filter |
---|---|---|
roles | Unspecified | .* |
Step 4: Get SAML Configuration
Step 4: Get SAML Configuration
- Go to Sign On tab → View SAML setup instructions
- Copy:
- Identity Provider Issuer
- Identity Provider Single Sign-On URL
- X.509 Certificate (entire content)
- Or download the metadata XML
Step 5: Configure in Bland
Step 5: Configure in Bland
- Go to Settings → SSO → Add Provider
- Select SAML 2.0 as Provider Type
-
Enter basic configuration:
- Provider ID: Your chosen ID (e.g.,
company-okta-saml
) or leave blank to auto-generate - Email Domain:
company.com
- Issuer URL: Identity Provider Issuer from Okta
- Provider ID: Your chosen ID (e.g.,
-
Choose configuration method:
Option 1: Metadata Import (Recommended)
- Paste the metadata XML from Okta, or
- Provide the metadata URL (may have CORS issues locally)
- Entry Point: Identity Provider Single Sign-On URL from Okta
- X.509 Certificate: Paste the entire certificate including BEGIN/END lines
- Click Add Provider
- Download SP metadata using the “Metadata” button and upload to Okta if needed
Azure AD (Microsoft Entra ID)
Azure AD OIDC Setup
Step 1: Register Application
Step 1: Register Application
- Sign in to Azure Portal
- Go to Azure Active Directory → App registrations
- Click New registration
- Configure:
- Name:
Bland SSO
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Web →
https://api.bland.ai/authorization/sso/callback/[provider-id]
(Replace[provider-id]
with your chosen ID, e.g.,company-azure
)
- Name:
- Click Register
- Copy the Application (client) ID and Directory (tenant) ID
Step 2: Create Client Secret
Step 2: Create Client Secret
- Go to Certificates & secrets → Client secrets
- Click New client secret
- Description:
Bland SSO Secret
- Choose expiration (12-24 months recommended)
- Click Add
- IMMEDIATELY copy the secret value (won’t be shown again)
Step 3: Configure Permissions
Step 3: Configure Permissions
- Go to API permissions
- Click Add a permission → Microsoft Graph → Delegated permissions
- Add:
openid
profile
email
User.Read
- Click Grant admin consent for [Organization]
Step 4: Configure Token Claims
Step 4: Configure Token Claims
- Go to Token configuration
- Click Add optional claim → ID
- Select:
email
,family_name
,given_name
,preferred_username
- For role mapping, click Add groups claim:
- Select Security groups
- Under ID, select Group ID
Step 5: Configure in Bland
Step 5: Configure in Bland
- In Bland, go to Settings → SSO → Add Provider
- Select OIDC (OpenID Connect)
- Enter:
- Provider ID: Your chosen ID (e.g.,
company-azure
) or leave blank to auto-generate - Email Domain:
company.com
- Issuer URL:
https://login.microsoftonline.com/[tenant-id]/v2.0
(Replace[tenant-id]
with your Directory (tenant) ID) - Client ID: Application (client) ID from Azure
- Client Secret: Secret value from Azure
- Provider ID: Your chosen ID (e.g.,
- Optional: Configure scopes (defaults to
openid email profile
) - Click Add Provider
/v2.0
for the v2.0 endpoint.Azure AD SAML Setup
Step 1: Create Enterprise Application
Step 1: Create Enterprise Application
- In Azure AD, go to Enterprise applications
- Click New application → Create your own application
- Name:
Bland SSO SAML
- Select: Integrate any other application you don’t find in the gallery
- Click Create
Step 2: Configure SAML
Step 2: Configure SAML
- Go to Single sign-on → Select SAML
- Edit Basic SAML Configuration:
- Identifier (Entity ID):
https://api.bland.ai/sp/[provider-id]
(Replace[provider-id]
with your chosen ID, e.g.,company-azure-saml
) - Reply URL:
https://api.bland.ai/authorization/sso/saml2/callback/[provider-id]
- Sign on URL:
https://app.bland.ai/login
- Identifier (Entity ID):
Step 3: Configure Attributes
Step 3: Configure Attributes
Claim Name | Source Attribute |
---|---|
emailaddress | user.mail |
givenname | user.givenname |
surname | user.surname |
name | user.displayname |
email
, firstName
, lastName
, name
Step 4: Download Certificate
Step 4: Download Certificate
- In SAML Certificates, download Certificate (Base64)
- Copy Login URL and Azure AD Identifier
Step 5: Configure in Bland
Step 5: Configure in Bland
- Go to Settings → SSO → Add Provider
- Select SAML 2.0 as Provider Type
-
Enter basic configuration:
- Provider ID: Your chosen ID (e.g.,
company-azure-saml
) or leave blank to auto-generate - Email Domain:
company.com
- Issuer URL: Azure AD Identifier from Step 4
- Provider ID: Your chosen ID (e.g.,
-
Choose configuration method:
Option 1: Manual Configuration
- Entry Point: Login URL from Azure
- X.509 Certificate: Paste the downloaded certificate (Base64)
- Download Federation Metadata XML from Azure
- Paste the entire XML in the IdP Metadata XML field
- Click Add Provider
- Download SP metadata using the “Metadata” button if needed by Azure
Azure AD Compliance & Advanced Features
Compliance Considerations:- Azure AD provides detailed audit logs with configurable retention
- Use Privileged Identity Management (PIM) for just-in-time admin access
- Enable Identity Protection for risk-based conditional access
- Configure log retention per compliance requirements (GDPR, HIPAA, etc.)
- Conditional Access Policies: Require MFA, restrict by location/device
- Risk-Based Policies: Block or challenge risky sign-ins
- Device Compliance: Require managed/compliant devices
Google Workspace
Access Admin Console
Add Custom SAML App
- Go to Apps → Web and mobile apps
- Click Add app → Add custom SAML app
- Enter:
- App name:
Bland SSO
- App description:
Single Sign-On for Bland AI
- App name:
- Click Continue
Download IdP Metadata
- SSO URL
- Entity ID
- Certificate
- Or download the full metadata XML
Configure Service Provider
- ACS URL:
https://api.bland.ai/authorization/sso/saml2/callback/[provider-id]
(Replace[provider-id]
with your chosen ID, e.g.,company-google
) - Entity ID:
https://api.bland.ai/sp/[provider-id]
- Start URL:
https://app.bland.ai/login
(optional) - Signed response: ✅ Checked
- Name ID format:
EMAIL
- Name ID:
Basic Information > Primary email
Configure Attributes
Google Directory | App Attribute |
---|---|
Primary email | |
First name | firstName |
Last name | lastName |
Full name | name |
Configure in Bland
- Go to Settings → SSO → Add Provider
- Select SAML 2.0 as Provider Type
- Enter:
- Provider ID: Your chosen ID (e.g.,
company-google
) or leave blank to auto-generate - Email Domain:
company.com
- Issuer URL: Entity ID from Google
- Provider ID: Your chosen ID (e.g.,
- Choose configuration method:
- Option 1: Metadata Import - Paste the metadata XML from Google
- Option 2: Manual Configuration - Enter SSO URL and Certificate
- Click Add Provider
- If you let Bland auto-generate the Provider ID, update your Google Workspace app configuration with the generated ID
- Enable the app for desired organizational units in Google Admin Console
Test Configuration
- In the Bland SSO app, click Test SAML login
- This opens the SSO flow in a new tab
- Use the Test button in SSO settings
- Or test with an incognito browser window
Google Workspace Security Features
Context-Aware Access:- Configure access levels based on device trust status, IP location, and user/group membership
- Access Transparency: Logs of admin actions (Enterprise editions)
- Data Regions: Configure data residency requirements
- Audit Logs: Export SAML events to BigQuery for analysis
- SIEM Integration: Connect logs to security monitoring tools
- Enable password alert for compromised passwords
- Configure strong password requirements
- Regular rotation policies
Other Identity Providers
Auth0
OIDC Configuration
OIDC Configuration
- Create new Application → Regular Web Application
- Settings:
- Allowed Callback URLs:
https://api.bland.ai/authorization/sso/callback/[provider-id]
(Replace[provider-id]
with your chosen ID, e.g.,company-auth0
) - Allowed Web Origins:
https://app.bland.ai
- Allowed Callback URLs:
- In Bland, configure with:
- Provider ID: Your chosen ID or leave blank to auto-generate
- Email Domain: Your organization’s email domain
- Issuer:
https://[your-domain].auth0.com/
- Client ID and Client Secret from Auth0
- Auth0 endpoints will be auto-discovered from the issuer URL
SAML Configuration
SAML Configuration
- Create new Application → Regular Web Application
- Enable SAML2 Web App addon
- Configure:
- Application Callback URL:
https://api.bland.ai/authorization/sso/saml2/callback/[provider-id]
(Replace[provider-id]
with your chosen ID) - Settings: Configure attribute mappings for email, firstName, lastName
- Application Callback URL:
- In Bland, add SAML provider with:
- Provider ID: Your chosen ID or leave blank to auto-generate
- Auth0’s metadata or manual configuration
Ping Identity
Both OIDC and SAML supported:- OIDC: Configure redirect URI with your chosen provider ID
- SAML: Use SP Entity ID format
https://api.bland.ai/sp/[provider-id]
- Provider ID can be specified or auto-generated in Bland
OneLogin
Supports both protocols:- Create app from catalog or custom connector
- Configure with your chosen provider ID in all endpoints
- Download SP metadata from Bland after provider creation for SAML
URL Reference
OIDC Endpoints
Endpoint | URL Format | Notes |
---|---|---|
Redirect URI | https://api.bland.ai/authorization/sso/callback/[provider-id] | Replace [provider-id] with your chosen ID |
Discovery | Auto-discovery from issuer URL | Endpoints fetched automatically |
SAML Endpoints
Endpoint | URL Format | Notes |
---|---|---|
ACS URL | https://api.bland.ai/authorization/sso/saml2/callback/[provider-id] | Assertion Consumer Service URL |
SP Entity ID | https://api.bland.ai/sp/[provider-id] | Service Provider identifier |
SP Metadata | Generated after provider creation | Download from SSO settings |
company-okta
, acme-azure
) or leave it blank to auto-generate. Once created, the provider ID cannot be changed.Troubleshooting
Common OIDC Issues
Invalid redirect URI
Invalid redirect URI
- Copy exact URI from Bland including provider ID
- Check for trailing slashes or spaces
- Ensure HTTPS is used
Invalid client credentials
Invalid client credentials
- Regenerate client secret in IdP
- Update immediately in Bland
- Verify no extra spaces when pasting
Invalid issuer
Invalid issuer
- Include or remove trailing slashes as required by your IdP
- For Azure: Use
/v2.0
endpoint for v2.0 tokens - For Okta: Use your Okta domain (with or without
/oauth2/default
based on your setup) - Verify the issuer URL matches exactly what your IdP expects
Common SAML Issues
Invalid SAML Response
Invalid SAML Response
- Set NameID format to
emailAddress
- Use “Unspecified” for attribute name format
- Ensure email attribute is mapped
Signature validation failed
Signature validation failed
- Re-download certificate from IdP
- Include full certificate with BEGIN/END lines
- Check certificate expiration
Audience validation failed
Audience validation failed
- Ensure Entity ID matches exactly:
https://api.bland.ai/sp/[provider-id]
- Use the same provider ID in both Bland and your IdP
- If you auto-generated the ID, copy it from Bland to your IdP
- Check for typos, extra spaces, or case sensitivity
account_not_found
account_not_found
- Verify attribute mappings in IdP
- Ensure user has email in IdP profile
- Check attributes are being sent in response
Testing Your Configuration
- Use Test Button: In Bland SSO settings, click Test next to your provider
- Check Browser Console: Open Developer Tools (F12) → Network tab for detailed errors
- Verify in IdP: Check IdP audit logs for authentication attempts
- Test with Different User: Try a non-admin account to verify permissions
- Test in Incognito Mode: Always test in incognito/private browsing mode to avoid cached sessions
Advanced Debugging Tools
For SAML:- SAML Chrome Panel - Chrome extension
- SAML-tracer - Firefox addon
- Capture and decode SAML responses to verify attributes
- Use jwt.io to decode ID tokens
- Verify
iss
(issuer),aud
(audience), and claims
- Export HAR file from browser Network tab for support
Debug Checklist
- Email domain matches exactly (no www, no subdomains)
- Provider is active in Bland settings
- User is assigned to application in IdP
- URLs updated with actual provider ID
- Certificates valid and not expired (SAML)
- Client secrets valid and not expired (OIDC)
- Attributes properly mapped
- Test button works successfully
Security Best Practices
Certificate & Secret Management
- SAML Certificates:
- Monitor expiration dates (typically 1-3 years)
- Rotate during low-usage periods
- Keep backup of current working certificates
- OIDC Secrets:
- Rotate every 6-12 months
- Regenerate in IdP first, then update in Bland immediately
- Never share secrets via email or chat
- Document rotation procedures for your team
- Test immediately after rotation with non-admin account
Access Control
- Use Groups: Manage access via IdP groups rather than individual assignments
- Regular Audits: Review SSO access quarterly
- Immediate Revocation: Remove departing employees promptly
- MFA Enforcement: Require multi-factor authentication in your IdP
Monitoring
- Enable SSO audit logging in your IdP
- Monitor failed authentication attempts
- Set up alerts for unusual patterns
- Review logs during security incidents
- Regular Reviews:
- Audit user access monthly
- Review IdP logs weekly
- Check for deprecated features quarterly
Platform-Specific Security Recommendations
Okta:- Don’t assign to “Everyone” unless intended
- Use Okta Verify or hardware tokens for higher security
- Review system logs for suspicious activity regularly
- Use Conditional Access for location/device restrictions
- Enable risk-based authentication policies
- Implement Privileged Identity Management (PIM)
- Enable Context-Aware Access levels
- Use Security Keys for admin accounts
- Configure data residency requirements
Role Mapping & Group Inheritance
Bland automatically maps IdP groups and roles to organization permissions, enabling seamless role inheritance from your existing identity provider.How It Works
When users sign in via SSO, Bland reads their group memberships from the IdP and automatically assigns the appropriate role in your organization.Supported Group Mappings
Groups are mapped based on their names. The following patterns are recognized: Admin Role:Bland AI - Static - Admin
bland-admin
- Groups containing:
admin
,administrator
,owner
,manager
,super
- Example:
IT-Admin
,Super-Users
,Organization-Administrators
Bland AI - Static - Operator
bland-operator
- Groups containing:
operator
,support
- Example:
Support-Team
,Call-Operators
Bland AI - Static - Viewer
bland-viewer
- Groups containing:
viewer
,read-only
,readonly
- Example:
Read-Only-Users
,Audit-Viewers
operator
role.
IdP-Specific Configuration
Okta Configuration
Okta Configuration
-
Create Groups in Okta Directory → Groups:
Bland AI - Static - Admin
Bland AI - Static - Operator
Bland AI - Static - Viewer
-
Assign Groups to Application:
- Go to your Bland SSO app → Assignments
- Assign the groups (not just users)
-
Configure Groups Claim:
- Go to Security → API → Authorization Servers → Your Server
- Claims tab → Add Claim
- Name:
groups
- Include in: ID Token
- Value type: Groups
- Filter: Matches regex
.*
-
Add Groups Scope (if needed):
- Scopes tab → Add Scope
- Name:
groups
- Display: Access to user groups
Azure AD Configuration
Azure AD Configuration
-
Create Security Groups:
- Azure AD → Groups → New Group
- Type: Security
- Names:
Bland AI - Static - Admin
, etc.
-
Configure Groups Claim:
- App Registration → Token configuration
- Add groups claim → Security groups
- Select: Group ID
-
Map Group Names (Optional):
- Enterprise App → Single sign-on → Attributes & Claims
- Add group claim with transformation to send group names instead of IDs
Google Workspace Configuration
Google Workspace Configuration
-
Create Groups in Google Admin:
- Groups → Create Group
- Names:
bland-admin@company.com
, etc.
-
Configure Group Attribute:
- In SAML app configuration
- Add attribute:
groups
- Google Directory attribute:
Groups
- Filter: Can specify specific groups or all
ADFS Configuration
ADFS Configuration
-
Configure Group Claims:
- Edit Claim Rules → Add Rule
- Send LDAP Attributes as Claims
- Attribute: Token-Groups - Unqualified Names
- Outgoing Claim Type:
groups
-
Or use Role Claims:
- Send LDAP Attributes as Claims
- Attribute: Token-Groups - Unqualified Names
- Outgoing Claim Type:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Dynamic Role Updates
- Automatic Sync: Roles are checked and updated on each login
- Immediate Effect: Role changes in your IdP take effect on next user login
- No Manual Updates: Admins don’t need to manually manage user roles in Bland
Custom Role Mapping
For enterprise customers with specific requirements:- Custom Group Names: Map your existing group structure
- Complex Rules: Combine multiple groups or attributes
- Department-Based: Map based on department or other attributes
Testing Role Mapping
-
Verify Groups in Token:
- Use browser DevTools during SSO login
- Check Network tab for the callback request
- For OIDC: Decode the ID token at jwt.io
- For SAML: Use SAML Chrome Panel or SAML-tracer
- Confirm
groups
claim contains expected values
-
Check Role Assignment:
- After login, verify user role in Organization Settings → Members
- Admin users see full settings access and can manage members
- Operators have standard access to make and manage calls
- Viewers have read-only access to view calls and analytics
-
Test Different Scenarios:
- User with single group membership
- User with multiple groups (highest privilege wins)
- User with no groups (defaults to operator)
- Group name changes in IdP
Troubleshooting Group Inheritance
Groups not appearing in token
Groups not appearing in token
- Verify groups claim is configured in IdP
- Check user is member of groups
- Ensure groups are assigned to application (Okta)
- Confirm groups scope is requested (OIDC)
Wrong role assigned
Wrong role assigned
- Check exact group names in token
- Verify group name matches mapping pattern
- Look for typos or case sensitivity issues
- Confirm no conflicting group memberships
Role not updating
Role not updating
- User must log out and log in again
- Clear browser cookies/cache
- Verify group membership changed in IdP
- Check IdP audit logs for group changes
Important Notes
- Users signing in via SSO still need to verify their phone number during first-time setup
- SSO users are automatically added to your organization
- Each email domain can only be configured for one organization
- Existing users are automatically converted to SSO on first SSO login
Frequently Asked Questions
Which protocol should I choose: OIDC or SAML?
Which protocol should I choose: OIDC or SAML?
- You’re using modern IdPs (Okta, Auth0, Azure AD)
- You want simpler configuration
- You need refresh tokens
- You’re building mobile apps
- Starting fresh with SSO
- Want better mobile app support
- Required by your IdP (Google Workspace)
- Mandated by security policy
- You need encrypted assertions
- Integrating with legacy systems
- Your organization already uses SAML for other applications
- You require specific SAML features like encrypted assertions
Can I have multiple SSO providers?
Can I have multiple SSO providers?
- Different domains
- Different protocols (OIDC and SAML)
- Different identity providers
What happens to existing users?
What happens to existing users?
Can I test without affecting production users?
Can I test without affecting production users?
- Create a test provider with a subdomain
- Test with a small group first
- Roll out to entire organization
How do I migrate from OIDC to SAML or vice versa?
How do I migrate from OIDC to SAML or vice versa?
- Create new provider with same domain
- Test with select users
- Delete old provider
- Users will seamlessly use new protocol
What if my domain is already registered?
What if my domain is already registered?
Do you support SCIM for user provisioning?
Do you support SCIM for user provisioning?
Can I skip phone verification for SSO users?
Can I skip phone verification for SSO users?
How do I handle certificate expiration?
How do I handle certificate expiration?
- Get new certificate from IdP
- Update in Bland before old expires
- Test with Test button
- No downtime if done before expiration
What data is shared between IdP and Bland?
What data is shared between IdP and Bland?
Getting Support
When contacting support, provide:- Organization ID and Provider ID
- Error message and screenshots
- Time of error (with timezone)
- IdP type (OIDC/SAML) and vendor
- Browser console errors (F12 → Console)
- For SAML: Sanitized SAML response (remove sensitive data)
Contact Information
- Email: hello@bland.ai
- Documentation: This guide
- Status Page: status.bland.ai
IdP Vendor Support
- Okta: support.okta.com
- Microsoft: support.microsoft.com
- Google: support.google.com/a
- Auth0: support.auth0.com
Appendix: Error Code Reference
Error Code | Meaning | Solution |
---|---|---|
INVALID_ISSUER | Issuer URL format invalid | Check URL format, remove trailing slash |
DOMAIN_CONFLICT | Domain already used | Contact support to transfer domain |
SSO_PROVIDER_NOT_FOUND | Provider doesn’t exist | Verify provider ID is correct |
SIGNATURE_VALIDATION_FAILED | SAML signature invalid | Update certificate from IdP |
INVALID_CLIENT_CREDENTIALS | OIDC auth failed | Check client ID/secret |
ACCOUNT_LINKING_FAILED | Cannot link SSO account | Contact support with details |
METADATA_FETCH_FAILED | Cannot retrieve metadata | Check metadata URL accessibility |
USER_NOT_AUTHORIZED | User not assigned in IdP | Add user to application in IdP |