Single Sign-On (SSO) is the ability to use an Identity Provider (IDP) to log into Bill.com.
- Who is eligible for SSO
- How will SSO work with Bill.com?
- Which identity providers (IDPs) are supported
- What do I need to provide to have the SSO feature enabled?
- Is data shared between my identity provider and Okta?
- Who should I inform about the SSO feature once it's enabled?
- Will SSO work on the mobile app?
- What happens if I remove a user from our identity provider?
- How do I remove SSO if we change our mind?
Who is eligible for SSO
Currently, SSO is available for Bill.com accounts syncing with Sage Intacct, Oracle NetSuite, or QuickBooks Enterprise. We are looking into supporting additional account types in the future. Stay tuned!
How will SSO work with Bill.com?
Once SSO is enabled:
- All users with login email addresses on the domain you provide us to whitelist will log into Bill.com through SSO
- Users with an email address with a different domain will log in the same way they do today, from the Bill.com login page
Which identity providers (IDPs) are supported
Examples of IDPs we support include:
- Google GSuite
- Microsoft Azure
- Active Directory
There are some other identity providers that can be supported, but we don’t support identity providers using OAuth 1.0.
What do I need to provide to have the SSO feature enabled?
Security Assertion Markup Language (SAML) IDPs (Okta, GSuite, Microsoft Azure)
- IDP username
- IDP single-sign on URL
- IDP issuer URI i.e. EntityId
- IDP issuer certificate
To support just-in-time provisioning, firstName, lastName, email, and NameID (same as email) all need to be configured in your IDP as part of the SAML assertion
OpenID Connect (OIDC) IDPs
- Client ID
- Client Secret
- Well-known Endpoint
Is data shared between my identity provider and Okta?
- There's no personal data shared between the identity provider and Okta directly other than attributes that help identify the user. These attributes are part of an SAML assertion (XML document) that's sent to Okta in a secure manner.
Who should I inform about the SSO feature once it's enabled?
- Inform all users on your Bill.com account with the whitelisted domain you provide us, they'll need to sign into Bill.com using SSO after implementation of the feature
Will SSO work on the mobile app?
- Yes, once SSO is implemented, it'll also apply to the Bill.com mobile app. You'll need to have the most recent version of the mobile app.
What happens if I remove a user from our identity provider?
- If the user has the whitelisted domain for their login email, that user won't be able to log into your Bill.com account
How do I remove SSO if we change our mind?
- Contact Customer Support by selecting Contact us at the top of this page
- Once the SSO feature is removed,
- If you’ve never logged into Bill.com using a password before, you'll need to trigger a password reset from the Bill.com login page to create a password to be able to log into Bill.com again
- If you’ve created a password before, your prior password will still work