Single Sign-On (SSO)

ClaimRev supports single sign-on so your team can use your existing company login — Microsoft 365, Entra ID, Okta, or any other OpenID Connect provider — to access the ClaimRev portal. No separate ClaimRev password to remember, no extra account to manage.

Once SSO is set up for your organization, the sign-in experience is:

1. User goes to portal.claimrev.com and enters their work email address.
2. They're redirected to your company's login page (Microsoft sign-in, Okta, whichever you use).
3. They sign in the way they normally do — same password, same MFA, same conditional access policies your IT team has configured.
4. They land back in the ClaimRev portal, signed in.

If your company already has someone signed in to Microsoft 365 (or your other identity provider) in that browser session, they'll usually skip the password prompt entirely.

• One password to remember. Your users sign in with the credentials they already use every day.
• Your IT controls access. When someone leaves your organization and you disable their company account, they lose ClaimRev access automatically — no separate offboarding step.
• Your security policies apply. MFA, conditional access, password rotation, and audit logging from your identity provider all flow through to ClaimRev.
• Faster onboarding. New employees can sign in to ClaimRev as soon as their company account exists.

Any provider that supports the OpenID Connect (OIDC) standard. The ones we've connected most often:

• Microsoft Entra ID (formerly Azure AD)
• Microsoft Entra External ID
• Microsoft Azure AD B2C
• Okta
• Google Workspace
• Auth0
• Keycloak

If you have a different provider and aren't sure whether it'll work, reach out — if it speaks OIDC, we can usually connect it.

Setup is a one-time effort, typically done by your IT or identity team in coordination with ClaimRev.

In whichever IdP your company uses, create a new application (Azure calls these “App Registrations”, Okta calls them “Applications”, etc.) with the following settings:

• Redirect URI — Add this exact URL:
  https://api.claimrev.com/auth/callback
• Response mode — Form post (the callback URL must accept HTTP POST).
• Token signing — Standard OpenID Connect (no SAML).
• Required scopes — openid, email, profile.

Your IdP will give you back a Client ID and let you generate a Client Secret. Save both — you'll need them in the next step.

Email ClaimRev support with the following details:

• Your account number (the 5-character ID in your portal URL).
• Authority URL — the issuer URL from your IdP. For Microsoft tenants this looks like https://login.microsoftonline.com/<tenant-id>/v2.0.
• Client ID from step 1.
• Client Secret from step 1. (We encrypt this at rest with Google Cloud KMS — it's never stored in plaintext.)
• Email domains your employees use — e.g. @yourcompany.com, @yourcompany.org. We use these to route those users to your sign-in page automatically.

We can also pull this in self-service through the Identity Providers admin page in your portal if you have practice_admin:identity-providers permission — but a ClaimRev admin still has to approve the configuration before it goes live.

A ClaimRev admin verifies the configuration, sanity-checks the callback flow, and approves the provider. Once approved, it's active for sign-in.

Your existing ClaimRev users need to be flagged as SSO users so the portal knows to route them to your IdP instead of asking for a ClaimRev password. ClaimRev support handles this — usually as a bulk assignment for the whole account at once.

For new users going forward, just add them in the portal's User Management screen the way you always have. The SSO routing applies automatically based on their email domain.

Have one or two users try signing in. They should be redirected to your company's login, sign in, and land in the portal. If something doesn't work, see Troubleshooting below.

SSO only changes how users sign in. Everything else is the same:

• User accounts and permissions stay in ClaimRev. Roles, account access, hide-PHI settings — all unchanged.
• API keys and service accounts are unaffected. If you have integrations using a Client ID and Secret for programmatic access, those keep working exactly as before.
• Existing logged-in users stay signed in through their current session. The change only affects the next time they sign in.

Just for transparency — the first time each user signs in via SSO, ClaimRev records the connection between their company identity and their ClaimRev user profile. This is invisible to the user. After that first sign-in, the link is established and they're recognized immediately on every future visit.

If a user's email address in your IdP doesn't match an existing ClaimRev user profile, they'll be told their account isn't provisioned. Add them in User Management first, then have them try again.

The IdP configuration is incomplete or the provider is marked inactive. Contact ClaimRev support — usually a one-line fix.

The callback URL is missing or wrong on the IdP side. Double-check that https://api.claimrev.com/auth/callback is registered exactly as written on your IdP's application configuration.

The user's email in your IdP doesn't match a ClaimRev user profile. Either:

• Add the user in User Management in the portal, OR
• If the user exists but with a different email, update their ClaimRev profile to match the email their IdP uses.

A user's email domain isn't on the Email domains list ClaimRev has on file for your provider. Send the missing domain to support and we'll add it.

SSO doesn't change permissions — those are still assigned in ClaimRev's User Management. If a user's roles or account access is wrong, fix it there.

If you ever need to:

• Rotate the client secret — generate a new one in your IdP, send it to ClaimRev support, we'll roll it.
• Switch identity providers — works the same as initial setup; the old provider stays active until you ask us to deactivate it.
• Disable SSO — contact support. We'll move your users back to ClaimRev-managed passwords.

For SSO help, contact ClaimRev support at help@claimrev.com or call 918-842-9564. If you're working with your IT team to set this up, feel free to loop us in on a call — we've done plenty of these and it's faster than email back-and-forth.