Skip to main content

Overview

bLIS supports multiple authentication methods so you can choose the approach that best fits your organization. You manage all providers in AdministrationAuthentication. Single sign-on (SSO) via OpenID Connect or SAML lets users log in with their existing organizational credentials. This provides significant security and operational benefits:
  • Centralized access control — Manage who can access bLIS from your identity provider (IdP). When you deactivate a user in your IdP, they immediately lose access to bLIS.
  • Multi-factor authentication — bLIS inherits MFA from your IdP, so you don’t need to manage a separate MFA configuration.
  • Reduced credential risk — Users don’t create or manage a separate bLIS password, eliminating password reuse and weak password risks.
  • Simplified onboarding — New users sign in with their existing organizational account and are automatically provisioned in bLIS.
OpenID Connect is the preferred method. It’s the most modern protocol, simpler to configure than SAML, and supported by all major identity providers including Microsoft Entra ID, Google Workspace, Okta, and Auth0.
For step-by-step setup with Microsoft Entra ID, see the guides:

Authentication methods

MethodProtocolDescription
OpenID ConnectOIDC / OAuth 2.0SSO via an external identity provider. Preferred for most organizations.
SAMLSAML 2.0SSO via an external identity provider. Common in enterprise environments.
Email magic linkEmailPasswordless login — users receive a link via email and click it to sign in.
Email OTPEmailPasswordless login — users receive a one-time code via email and enter it to sign in.

OpenID Connect

OpenID Connect (OIDC) is a modern authentication protocol built on OAuth 2.0. It’s the simplest SSO option to configure and is supported by all major identity providers. To set up an OIDC provider:
  1. Register an application in your identity provider and note the client ID, client secret, and endpoints.
  2. In bLIS, go to AdministrationAuthentication and click Add Provider.
  3. Set the type to OPENID, add your email domains, and save.
  4. Add the provider configuration entries (client_id, client_secret, issuer, endpoints).
Common providers: Microsoft Entra ID, Google Workspace, Okta, Auth0, Keycloak

SAML

SAML 2.0 is a widely used enterprise SSO protocol. It’s more complex to configure than OIDC but is required by some organizations. To set up a SAML provider:
  1. Create a SAML application in your identity provider with the bLIS ACS URL and Entity ID.
  2. Download the IdP metadata, certificate, and endpoint URLs.
  3. In bLIS, go to AdministrationAuthentication and click Add Provider.
  4. Set the type to SAML, add your email domains, and save.
  5. Add the provider configuration entries (idp_metadata_url, idp_entity_id, idp_sso_url, idp_cert).
Common providers: Microsoft Entra ID, Okta, Google Workspace Email magic link authentication sends a unique login link to the user’s email address. It’s useful for users who don’t have an organizational IdP or need occasional access.
  1. In bLIS, go to AdministrationAuthentication and click Add Provider.
  2. Set the type to EMAIL and select Magic link as the delivery method.
  3. Add email domains (or leave empty to allow any email address).
  4. Ensure outbound email is configured.
Users enter their email on the login page, receive a link, and click it to sign in. Links expire after a configurable period (default: 15 minutes).

Email OTP

Email OTP authentication sends a one-time passcode to the user’s email address. Like magic link, it’s a passwordless option for users without IdP access.
  1. In bLIS, go to AdministrationAuthentication and click Add Provider.
  2. Set the type to EMAIL and select OTP as the delivery method.
  3. Add email domains (or leave empty to allow any email address).
  4. Ensure outbound email is configured.
Users enter their email on the login page, receive a code, and enter it to sign in. Codes expire after a short period.

Provider configuration

Each authentication provider has the following settings:
FieldDescription
NameUnique provider name (e.g., “Microsoft OIDC”)
TypeOPENID, SAML, or EMAIL
Is DefaultWhether this is the default login method
Email DomainsDomains that route to this provider (e.g., hospital.org)
DescriptionOptional notes about the provider

Email domain routing

bLIS routes users to the correct provider based on their email domain. This lets you support multiple authentication methods at the same time: 
@hospital.org    → OPENID (Microsoft Entra ID)
@clinic.com      → SAML (Okta)
@consultant.com  → EMAIL (Magic link)
To configure routing:
  1. Edit each provider and add domains in the Email Domains field (without the @).
  2. Set one provider as Is Default for users whose domain doesn’t match any provider.
When a user enters their email on the login page, bLIS automatically selects the matching provider.

Default provider

The Is Default flag determines which provider appears prominently on the login page:
  • The default provider’s login button is shown first.
  • Other providers appear as secondary options.
  • Only one provider can be marked as default.
Set your most common authentication method as the default.

Auto-provisioning

When a user logs in via SSO for the first time, bLIS automatically provisions their account:
  1. bLIS checks if a user with the same email already exists.
  2. If not, it creates a new user using the attributes from the identity provider.
  3. The user is logged in immediately.
This just-in-time (JIT) provisioning eliminates the need to pre-create user accounts.