Single sign-on — Microsoft & Google

Klaxel supports single sign-on with Microsoft Entra and Google, both over OpenID Connect. Your team clicks Continue with Microsoft or Continue with Google on the sign-in page and authenticates with their existing work account. Linking is attested-only: Klaxel signs a person in on their identity address only when the provider has verified they own that email, so a sign-on can never be steered onto someone else's account.

Both the login and signup pages carry a Continue with Microsoft and a Continue with Google button alongside the email option. Choosing one sends the person to that provider to authenticate, then back to Klaxel — a standard OpenID Connect handshake, protected with state, nonce, and PKCE so the round-trip can't be forged or replayed. Microsoft sign-in uses the work-and-school (organizations) audience, so people sign in with their company Microsoft Entra account; personal Microsoft consumer accounts aren't used.

The identity is the person's verified email, and only that. When a provider returns a sign-in, Klaxel reads the email claim and requires the provider to have attested that the person actually owns it — Google's verified-email flag, or Microsoft Entra's email-domain-owner verification. If the email is attested and already belongs to a Klaxel user, they're signed into their account. If it's attested and new, a fresh account is created for them. If the provider hasn't verified the email, the sign-in is refused rather than guessed — this is what stops a look-alike token from any tenant being used to slip into an existing account.

Sign in with Microsoft or Google

  1. On the Klaxel sign-in (or sign-up) page, choose Continue with Microsoft or Continue with Google.
  2. Authenticate with your provider as normal — including your organization's own sign-in policies.
  3. You're returned to Klaxel and signed in on your verified email address.
  4. If two-factor isn't already satisfied by your provider's sign-in, Klaxel walks you through setting up its own authenticator code before you reach the dashboard — two-factor is mandatory either way.
Note

Joining a team is always a deliberate step. Signing in with Microsoft or Google authenticates you as yourself — it never auto-joins you to someone else's account just because there's a pending invite for your address. The only way to join another account is to click that account's invite link, so a single sign-on can't sidestep the invite's consent.

Note

SSO and two-factor work together. If your provider's sign-in already asserted a strong second factor, that satisfies Klaxel's two-factor requirement for the session. A weak factor (for example a bare email one-time code) does not — Klaxel then has you set up its own authenticator code, so every session clears real two-factor.

Frequently asked questions

Which single sign-on providers does Klaxel support?

Microsoft Entra and Google, both over OpenID Connect. There's a Continue with Microsoft and a Continue with Google button on the sign-in and sign-up pages. Microsoft uses the work-and-school (organizations) audience, so people sign in with their company Microsoft account rather than a personal consumer one.

How does Klaxel decide which account an SSO sign-in belongs to?

By the provider-verified email, and only that. Klaxel signs you in on your identity email when the provider has attested you own it (Google's verified-email flag or Microsoft's email-domain-owner verification). An attested email that already exists signs into that account; an attested new email creates a fresh account. It never links on an unverified or aliased address.

What if the provider hasn't verified my email?

The sign-in is refused rather than linked on a guess. Klaxel only ever keys identity to a provider-attested email, so an unattested or alias claim can't be used to reach an existing account — a deliberate guard against account takeover.

Does signing in with Google or Microsoft join me to my team's account?

No. SSO authenticates you as yourself; it doesn't auto-join another account even if there's a pending invite for your address. To join a team you click its invite link — that explicit acceptance is the only path in, so single sign-on can't bypass the invite's consent.

Do I still need two-factor if I use SSO?

Two-factor is always required. If your provider's sign-in asserted a strong second factor, that satisfies it for the session. If it didn't (a bare one-time code doesn't count), Klaxel has you set up its own authenticator code so the session still clears genuine two-factor.

Put this to work across your whole client list.

Daily monitoring and alerts for every domain you manage — from $99/mo, 14-day free trial.

Single sign-on — Microsoft & Google — Klaxel