SSO Support
Configure single sign-on using OpenID Connect with your identity provider.
Introduction
Bland supports OIDC-based Single Sign-On (SSO) for enterprise workspaces. This enables your users to authenticate with their existing identity provider (IdP) — such as Google Workspace, Okta, or Azure Active Directory — instead of managing separate Bland credentials.
Once connected, users from your domain can log in with Sign in with SSO, and new users will be provisioned automatically into your workspace.
Overview
To configure OIDC SSO, you will:
- Create a new client credential in your identity provider
- Register that credential in Bland as a new provider
- Whitelist the redirect URI from Bland using the provider ID
You will need:
- Client ID and Client Secret from your IdP
- Issuer URL (varies by provider)
- Authorized Redirect URI (generated using your Bland Provider ID)
1. Google Workspace
To create OIDC credentials in Google Cloud Console:
- Go to Google Cloud Console → APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Choose Web application
- Enter a name for your client
- Leave the authorized redirect URI field blank for now — you’ll return to this after creating your provider in Bland, where the required URI (including the Provider ID) will be generated.
- Click Create
- Copy the Client ID and Client Secret
- Use
https://accounts.google.comas your Issuer URL
Once created:
- Navigate to the SSO tab in your Bland workspace settings
- Click Create New Provider
- Fill in the domain, issuer URL, and your new client credentials
- After creation, copy the Provider ID
- Return to your Google OAuth client and add the redirect URI using your Provider ID
You can find detailed help in:
Google OIDC Client Setup
2. Okta
To create an OIDC app integration in Okta:
- Log into the Okta Admin Dashboard
- Go to Applications → Create App Integration
- Choose:
- Sign-in method: OIDC – OpenID Connect
- Application type: Web Application
- Name your app
- Ensure Authorization Code is checked
- Leave the Sign-in Redirect URI empty for now — after creating your provider in Bland, you’ll receive a full redirect URI with your Provider ID to paste here.
- Click Save
- Copy the Client ID and Client Secret
- Use your issuer URL in the format:
https://<yourOktaDomain>/oauth2/default
Then:
- Go to the SSO tab in Bland
- Create a new provider with your domain, issuer, and credentials
- Copy the Provider ID
- Return to Okta and add the redirect URI using that Provider ID
Reference:
Okta OIDC App Guide
SysCloud Okta SSO Setup
3. Azure Active Directory
To register an application in Azure AD:
- Log in to the Azure Portal
- Go to Azure Active Directory → App registrations
- Click New registration
- Name your app
- Under Redirect URI, select Web and leave it empty for now — you’ll fill it in after creating your provider in Bland, which will generate the full URI using your Provider ID.
- Click Register
- In the app overview, copy the Application (client) ID (this is your Client ID)
- Go to Certificates & Secrets → New client secret to generate your Client Secret
- Your Issuer URL is typically:
https://login.microsoftonline.com/<tenant_id>/v2.0
And your OIDC metadata document:
https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration
After that:
- Go to the SSO tab in Bland
- Create your provider and input the client ID, secret, and issuer
- Copy the Provider ID
- Return to Azure and add the corresponding redirect URI to your app
Learn more:
Azure AD OIDC Setup Guide
Logging In with SSO
Once your provider is live, users can click Sign In with SSO from the Bland login page.
- Existing users: Will be matched by email and converted to SSO login. All profile info remains intact.
- New users: Will be automatically provisioned into your org after first login.
No manual invite steps are required for SSO provisioned accounts.
Redirect URI Format
The redirect URI will follow this format:
https://app.bland.ai/auth/oidc/callback/<provider_id>
You’ll see the full value in the Bland UI once your provider is created. This must be whitelisted in your identity provider’s application settings.
Important Notes
- Users signing in via SSO will still need to verify their phone number during first-time setup.
- SSO users will be automatically added to this organization with the “operator” role, unless they have an admin role defined in the SSO provider.
- Each email domain can only be configured for one organization.
- The redirect URI for your OIDC provider should be:
https://api.bland.ai/authorization/sso/callback/[provider-id]
using the provider ID from the table above. Whitelist this URI after connecting the provider to Bland.
Frequently Asked Questions
Can I test the connection after setup?
Can I test the connection after setup?
Yes — after saving your provider and whitelisting the redirect URI, attempt a Sign in with SSO using an account in the domain you configured.
What if my domain is already registered?
What if my domain is already registered?
If a domain is already attached to another provider, contact Bland support to reset or reassign it.
Can I have multiple SSO providers?
Can I have multiple SSO providers?
Yes — multiple providers can be configured for different domains or identity systems.
What happens to existing users after enabling SSO?
What happens to existing users after enabling SSO?
Their accounts will be linked automatically the next time they log in using SSO.