Single sign-on — Microsoft & Google
Klaxel supports single sign-on with Microsoft Entra and Google, both over OpenID Connect. Your team clicks Continue with Microsoft or Continue with Google on the sign-in page and authenticates with their existing work account. Linking is attested-only: Klaxel signs a person in on their identity address only when the provider has verified they own that email, so a sign-on can never be steered onto someone else's account.
Both the login and signup pages carry a Continue with Microsoft and a Continue with Google button alongside the email option. Choosing one sends the person to that provider to authenticate, then back to Klaxel — a standard OpenID Connect handshake, protected with state, nonce, and PKCE so the round-trip can't be forged or replayed. Microsoft sign-in uses the work-and-school (organizations) audience, so people sign in with their company Microsoft Entra account; personal Microsoft consumer accounts aren't used.
The identity is the person's verified email, and only that. When a provider returns a sign-in, Klaxel reads the email claim and requires the provider to have attested that the person actually owns it — Google's verified-email flag, or Microsoft Entra's email-domain-owner verification. If the email is attested and already belongs to a Klaxel user, they're signed into their account. If it's attested and new, a fresh account is created for them. If the provider hasn't verified the email, the sign-in is refused rather than guessed — this is what stops a look-alike token from any tenant being used to slip into an existing account.
Sign in with Microsoft or Google
- On the Klaxel sign-in (or sign-up) page, choose Continue with Microsoft or Continue with Google.
- Authenticate with your provider as normal — including your organization's own sign-in policies.
- You're returned to Klaxel and signed in on your verified email address.
- If two-factor isn't already satisfied by your provider's sign-in, Klaxel walks you through setting up its own authenticator code before you reach the dashboard — two-factor is mandatory either way.
Joining a team is always a deliberate step. Signing in with Microsoft or Google authenticates you as yourself — it never auto-joins you to someone else's account just because there's a pending invite for your address. The only way to join another account is to click that account's invite link, so a single sign-on can't sidestep the invite's consent.
SSO and two-factor work together. If your provider's sign-in already asserted a strong second factor, that satisfies Klaxel's two-factor requirement for the session. A weak factor (for example a bare email one-time code) does not — Klaxel then has you set up its own authenticator code, so every session clears real two-factor.
Frequently asked questions
Which single sign-on providers does Klaxel support?
Microsoft Entra and Google, both over OpenID Connect. There's a Continue with Microsoft and a Continue with Google button on the sign-in and sign-up pages. Microsoft uses the work-and-school (organizations) audience, so people sign in with their company Microsoft account rather than a personal consumer one.
How does Klaxel decide which account an SSO sign-in belongs to?
By the provider-verified email, and only that. Klaxel signs you in on your identity email when the provider has attested you own it (Google's verified-email flag or Microsoft's email-domain-owner verification). An attested email that already exists signs into that account; an attested new email creates a fresh account. It never links on an unverified or aliased address.
What if the provider hasn't verified my email?
The sign-in is refused rather than linked on a guess. Klaxel only ever keys identity to a provider-attested email, so an unattested or alias claim can't be used to reach an existing account — a deliberate guard against account takeover.
Does signing in with Google or Microsoft join me to my team's account?
No. SSO authenticates you as yourself; it doesn't auto-join another account even if there's a pending invite for your address. To join a team you click its invite link — that explicit acceptance is the only path in, so single sign-on can't bypass the invite's consent.
Do I still need two-factor if I use SSO?
Two-factor is always required. If your provider's sign-in asserted a strong second factor, that satisfies it for the session. If it didn't (a bare one-time code doesn't count), Klaxel has you set up its own authenticator code so the session still clears genuine two-factor.