Single Sign-On (SSO)

Grail supports Single Sign-On with Google and Microsoft identity providers. When enabled, users see “Sign in with Google” and “Sign in with Microsoft” buttons on the login page alongside the standard email/password form.

SSO is configured at the organization level — an admin enables the providers, and optionally configures email domains for automatic user signup.

Enabling SSO

Go to Organization Settings

Navigate to Organization Settings from the navigation menu. (Only admins can access this page.)
Enable a provider

Under the Single Sign-On section, toggle Google SSO or Microsoft SSO on.
Add auto-signup domains (optional)

Once a provider is enabled, an SSO Auto-Signup Domains section appears. Add your organization’s email domains (e.g. yourchurch.org) so that anyone with a matching email address is automatically added to your organization when they sign in via SSO.

Each domain has a default role (Viewer or Editor) that new users receive on first sign-in.

How It Works

Existing users — If a user’s email matches an existing account, they sign in to that account via SSO. No new account is created.
New users with a matching domain — If the user’s email domain matches one of your auto-signup domains, a new account is created automatically with the domain’s default role.
New users without a matching domain — Sign-in is denied. An admin must first create their account or add their email domain to the auto-signup list.

Managing SSO Access

Admins can control SSO at two levels:

Organization level — Enable or disable Google and Microsoft SSO from Organization Settings. Disabling a provider removes its button from the login page.
Domain level — Add or remove auto-signup domains to control which email domains can self-register via SSO.

Password login remains available by default alongside SSO. Users can sign in with whichever method is enabled for their account.