When your organization requires Single Sign-On, you. may have some users who need access but can't authenticate through your identity provider. The most common case is people (external counsel, partner-org admins, or contractors) you've invited as administrators on a document or policy who aren't on your employee list sync (aka Org Friends).

The email sign-in exclusion list lets you give those people an email-based sign-in path while keeping SSO as the default for everyone else.

When email sign-in is turned off for your organization, Blissbook normally routes everyone through your SSO provider. With an exclusion list configured, the people in a specific saved segment can still request a special link sent to their email address. Everyone else is still funneled through SSO.

Note: The exclusion list only appears on the settings page when email sign-in (special links) is turned off. If email sign-in is on for everyone, you don't need this, as it's already available to all users.

On your People page, set up filters to identify the people who need email sign-in. The most common case is filtering for people who are not on an Employee List (or not on a specific Employee List) – people in your account as administrators who aren't coming through your employee list sync. Save the result as a segment following the steps in Saved Segments and give it a meaningful name like "Email sign-in allowed" or "Okta exclusion list" so it's obvious what it is.

Go to Settings (in the ORGANIZATION section of the main navigation at the bottom) and land on the Account Settings tab. Scroll to the Authentication section:

Under Via Special Link Sent via Email, click the button labeled 0 Person(s) Excluded. The count updates once you pick a segment. A popover opens with the question "Who should be excluded?"

Pick your saved segment from the dropdown and click Save. Anyone in that segment can now sign in via email, even though email sign-in remains off for the rest of your organization.

The sign-in behavior changes depending on what someone is trying to access and whether they're on the exclusion list.

If someone tries to access a published handbook, policy, or other audience-facing URL (including the manager dashboard or an audience member dashboard) without being signed in, Blissbook redirects them straight to your SSO provider. This is true whether or not they're on the exclusion list. Audience-facing URLs always go through SSO when SSO is configured.

If someone who isn't signed in tries to reach an admin page like the People page, a report, or the root of your Blissbook subdomain, they land on the Blissbook sign-in page. They can enter their email address to get a sign-in link, or click the Sign in via Single Sign-On button. The exact button label varies by provider (for Okta it may read "Sign in with [Your Organization] Single Sign-On (Okta)").

When someone enters their email:

Because the exclusion list is a saved segment, its membership updates automatically as people's attributes change. If someone becomes part of the segment, they gain access; if they leave the segment, they lose it. Nothing to edit on the settings page unless you want to swap in a different segment.