Single Sign On
      Back to home
      1. RKL Virtual Customer Support Center
      2. Bill.com
      3. Single Sign On

      What are some frequently asked questions about Single Sign On (SSO)?

      Read all of the FAQs about Single Sign-On (SSO) in BILL.

      Who is eligible for SSO?

      You can add SSO if you have an advanced, paid BILL account.

      How will SSO work with BILL?

      Once SSO is enabled:

      • All users with login email addresses on the domain you provide us to allow will log into BILL through SSO
      • Users with an email address with a different domain will log in the same way they do today, from the BILL login page

      Which identity providers (IDPs) are supported?

      Examples of IDPs we support include:

      • Okta
      • Google GSuite
      • Microsoft Azure
      • Active Directory
      • OneLogin
      • Ping
      • Duo
      • CyberArk
      • Digital Resolve
      • JumpCloud
      • Rippling
      • SecureAuth

      There are some other identity providers that can be supported, but we don’t support identity providers using OAuth 1.0.

      What do I need to provide to have the SSO feature enabled?

      • Security Assertion Markup Language (SAML) IDPs (Okta, GSuite, Microsoft Azure)
        • IDP username
        • IDP single-sign on URL
        • IDP issuer URI i.e. EntityId
      • IDP issuer certificate
      • To support just-in-time provisioning, firstName, lastName, email, and NameID (same as email) all need to be configured in your IDP as part of the SAML assertion
      OpenID Connect (OIDC) IDPs
      • Client ID
      • Client Secret
      • Scopestd
      • Well-known Endpoint

      What is the cost to enable SSO?

      • There is no cost to enable SSO.

      Is data shared between my identity provider and Okta?

      • There's no personal data shared between the identity provider and Okta directly other than attributes that help identify the user. These attributes are part of an SAML assertion (XML document) that's sent to Okta in a secure manner.

      Who should I inform about the SSO feature once it's enabled

      • Inform all users on your BILL account with the allowed domain you provide us, they'll need to sign into BILL using SSO after implementation of the feature

      Will SSO work on the mobile app?

      • Yes, once SSO is implemented, it'll also apply to the BILL mobile app. You'll need to have the most recent version of the mobile app.

      What happens if I remove a user from our identity provider?

      • If the user has the allowed domain for their login email, that user won't be able to log into your BILL account

      How do I remove SSO if we change our mind?

      • Contact Customer Support by selecting the Contact Us or BILL Virtual Assistant button on this page
      • Once the SSO feature is removed,
        • If you’ve never logged into BILL using a password before, you'll need to trigger a password reset from the BILL login page to create a password to be able to log into BILL again
        • If you’ve created a password before, your prior password will still work