Bitrix24 SSO Setup Guide for HOA Teams (Identity Provider Settings)

Bitrix24 SSO is configured by connecting an identity provider (IdP) like Microsoft Entra ID (Azure AD), Google Workspace, Okta, or AD FS, then forcing login through that IdP for the HOA team, testing with a small pilot group, and only then enforcing SSO for everyone. If all requirements are already met, the main work is just: add the IdP app, copy the SSO URLs and certificate into Bitrix24, map user emails, test, and enable enforcement.

 

What SSO means (in plain terms)

 

• SSO (Single Sign-On) lets staff sign into Bitrix24 using the same work account they already use (Microsoft/Google/Okta), instead of a separate Bitrix24 password.
• IdP (Identity Provider) is the system that “proves” who the user is (Entra ID, Okta, Google).
• SAML 2.0 is the most common SSO method in Bitrix24. It uses a few URLs plus a security certificate.

 

Before you touch settings (avoid lockouts)

 

• Confirm you have Bitrix24 admin access and at least one backup admin who can still log in without SSO during testing.
• Make sure every HOA team member’s Bitrix24 login email exactly matches their IdP email. Mismatched emails are the #1 reason SSO “works” but nobody can log in.
• Decide who should use SSO: board members, management staff, vendors. Vendors often should not be forced into SSO.

 

Configure the IdP (Microsoft/Google/Okta side)

 

• Create a new SAML application for Bitrix24 in your IdP.
• Set the app’s Reply URL / ACS URL and Entity ID using the values Bitrix24 provides in its SSO setup screen.
• Download the IdP X.509 certificate (used to verify sign-ins).
• Set the SAML claim for NameID to Email (or userPrincipalName if it matches the email used in Bitrix24).
• Assign the app to a small pilot group first (example: “HOA Managers – Pilot”).

 

Configure Bitrix24 (where to put the SSO details)

 

• In Bitrix24, go to the admin area for Authentication / Single Sign-On (wording varies by plan and interface).
• Choose SAML and enter the IdP details: SSO Login URL, SSO Logout URL (if provided), and upload/paste the certificate.
• Set user matching to Email.
• Save, then use the built-in test login option if available.

 

Test correctly (so “it works” actually means it works)

 

• Test with one pilot user who already exists in Bitrix24 and is assigned in the IdP.
• Test from a normal browser session and an incognito/private window.
• Confirm: login works, logout returns cleanly, and the user lands in the correct Bitrix24 portal.

 

Common mistakes HOA teams hit

 

• Email mismatch between Bitrix24 and IdP.
• Forcing SSO too early and locking out admins.
• Wrong certificate (expired or copied from the wrong app).
• NameID not set to email, causing “user not found” errors.

 

If you already meet all requirements

 

• Skip cleanup and go straight to: create IdP app → copy URLs/cert → paste into Bitrix24 → pilot test → enable enforcement.
• After enabling, keep a non-SSO emergency admin for a short period if Bitrix24 allows it.

 

When to contact support

 

• If Bitrix24 does not show SSO options, your plan may not include SSO or it may require a specific edition.
• If SAML works in the IdP test tool but fails in Bitrix24, ask Bitrix24 support for the SAML error logs and the exact expected ACS/Entity values for your portal.