SSO Setup Overview | Bagel Help Center

Single Sign-On (SSO)

Bagel AI supports secure authentication via:

Google Sign-In (OAuth 2.0)
Optional SAML 2.0 SSO (for enterprise customers)
Just-in-Time (JIT) user provisioning

Google SSO Flow

Users select “Sign in with Google”
Google handles authentication securely
Upon successful verification, the user is logged into Bagel
If enabled, users are automatically provisioned on first login (JIT)

No passwords are stored in Bagel when using Google SSO.

For enterprise SAML setup, we provide:

ACS URL
Entity ID
Required attribute mappings (Email required)
Metadata exchange instructions

Setup SAML on Microsoft Entra ID (Azure AD)

Step 1: Create the SAML Application in Entra ID
1. Log into the Microsoft Entra admin center (or Azure portal) and go to Microsoft Entra ID → Enterprise applications
2. Click New application → Create your own application
3. Name it Bagel AI, then select “Integrate any other application you don’t find in the gallery (Non-gallery)” and click Create
4. Once created, open the app and go to Single sign-on → SAML
  (App logo can be set later under Properties if desired.)
Step 2: Configure SAML Settings

Connection name (same convention as before): bagel-{customerName}-saml

In Section 1 – Basic SAML Configuration (click the edit pencil):
1. Identifier (Entity ID) ← this is Okta’s Audience URI / SP Entity ID: urn:auth0:bagelapp:{connectionName}
2. Reply URL (Assertion Consumer Service URL) ← this is Okta’s Single sign-on URL: https://login.getbagel.com/login/callback?connection={connectionName}
  Sign on URL — leave empty
  Relay State — leave empty unless needed
  Logout URL — leave empty
In Section 2 – Attributes & Claims (this is where Okta’s Name ID format / Application username live):
1. Edit the Unique User Identifier (Name ID) claim
2. Set Source attribute to user.mail
3. Set Name identifier format to Email address
Step 3: Send Bagel AI your IdP details
In Entra these come from Section 3 – SAML Certificates and Section 4 – Set up Bagel AI:
- Connection Name:{connectionName}
- Sign-on URL ← Entra’s Login URL (e.g. https://login.microsoftonline.com/{tenant-id}/saml2)
- Issuer / Entity ID ← Entra’s Microsoft Entra Identifier (formerly Azure AD Identifier, e.g. https://sts.windows.net/{tenant-id}/)
- X.509 Certificate ← download Certificate (Base64) from the SAML Certificates section

Setup SAML on OKTA

Step 1: Create SAML Application in Okta
1. Log into Okta Admin Console: Navigate to Applications > Applications
2. Click “Create App Integration”
3. Select “SAML 2.0"
4. Configure General Settings:
  - App name: Bagel AI
  - App logo: ( add logo optionally )
Step 2: Configure SAML Settings
- Configure SAML tab:
- connectionName: should be bagel-{customerName}-saml
- Single sign on URL: https://login.getbagel.com/login/callback?connection={connectionName}
- Audience URI (SP Entity ID): urn:auth0:bagelapp:{connectionName}
- Default RelayState: (leave empty unless needed)
- Name ID format: EmailAddress
- Application username: Email
Finally Send these to Bagel AI's team and we'll setup the rest on our side
- Connection Name: {connectionName}
- Sign-on URL: (ex: https://[customer-domain].okta.com/app/[app-id]/sso/saml)
- Issuer/Entity ID: http://www.okta.com/[app-id]
- X.509 Certificate

User Provisioning

Depending on configuration, we can support:

Just-in-Time (JIT) user creation
SCIM-based provisioning (if enabled)
Domain-restricted access (if configured)