Skip to main content

Transform Help Center

Single sign-on (SSO)

Table of contents
  • Introduction

  • Inviting external user



This feature needs to be unlocked for your account. If you are interested, please contact

Single sign-on (SSO) is an authentication method that allows you to authorize once and use multiple applications without having to authorize again.

To use the single sign-on method in billwerk, you have to connect an identity provider, e.g., an active directory, with billwerk. billwerk supports the OpenID Connect protocol and Azure Active Directory.

billwerk distinguish between internal users and external users. Internal users are created and managed in billwerk. External users are provided and managed by the connected identity provider.

As soon as an external user logs into billwerk the first time, the user is created in billwerk. When the user data in the identity provider are updated, billwerk will update the user data of the external user. You can also invite external users. The user will then be pre-created.


  • External Id and email address cannot be edited in billwerk.

  • Users of the identity provider cannot be edited in billwerk.

  • When the roles and users are provided by Azure Active Directory , the external user is read only.

  • When the roles of the users provided by Azure Active Directory are managed in billwerk, only the roles are editable.

  • When the roles are provided by Open ID Connect, the roles are not visible.

  • When the roles of the users provided by Open ID Connect are managed in billwerk, only the roles are editable.

  • Single sign-off out of billwerk is not possible.



User calls billwerk


Request is sent to user's browser


Access is requested from the identity provider


User logs in if necessary


Token is sent to user's browser


Token with the user's identity is sent to billwerks endpoint


Request is received by billwerk and user is validated


Access is granted

Inviting external user
  1. To get to the User Accounts, click on your email address > Account in the top right corner.

  2. In the ACCOUNT section, click User Accounts.

  3. Click the Invite User button.

  4. Select External User in the User Type dropdown-list.

  5. Fill in the required fields.

  6. Select the roles.


    If the External Role Assignments Strategy in the settings is set to RolePerLegalEntity or OneRoleForAllLegalEntities it is not possible to select roles. Roles provided by Identity Provider are assigned.
  7. Click Save.