How do I enable OpenID Connect (OIDC) SSO?
Step 1: Sign in as an admin to your IdP console.
Step 2: Follow your IdP guidelines to create a Web OIDC application or client. Enter this redirect URL: https://accounts-api.brex.com/oauth2/v1/authorize/callback
Step 3: As an admin, contact Brex Support at firstname.lastname@example.org or through Live Chat on the dashboard.
Step 4: Ask the specialist to set up OIDC SSO on your Brex account. They'll provide you with a secure link to submit the information in Step 5.
Step 5: After verifying your identity as the admin on your account, please provide the answers to the following questions by using the secure link that the specialist provided in Step 4:
What is your client ID and client secret?
What is your OIDC domain URL where /.well-known/openid-configuration endpoint is hosted?
Who is your IdP Vendor (SSO Provider)?
Please confirm your email domain (eg. for Brex, it is ‘brex.com’).
Once SSO is ready to be enabled, who on your Brex account should be used for testing?
Do you have multiple Brex accounts that might share the same email domain?
Do you have more than one email domain on your account?
Are there any users who we need to exclude from SSO?
Please note that it may take 5 business days to complete the initial setup for SSO.
Step 6: A Developer Support Specialist will reach out via email with further setup instructions once we complete the initial setup.
Okta OIDC Integration
Step 1: Start at Step 3 from the instructions above.
Step 2: Sign in to your Okta admin console.
Step 3: Create an Application Integration under Applications > Applications. Under Sign-in Method, choose OIDC - OpenID Connect. Under Application Type, choose Web Application. Click Next.
Step 4: Name the application integration “Brex” or “Brex Web App” so users can identify it from the app launcher. You can also add the Brex logo.
Step 5: Use https://accounts-api.brex.com/oauth2/v1/authorize/callback as the sign-in redirect URL and your Brex dashboard link (http://dashboard.brex.com/) as the sign-out redirect URL. Add implicit for grant type and leave other optional fields as they are.
Step 6: For controlled access, choose either Allow everyone in your organization to access or Limit access to selected groups for a gradual rollout. Click Save.
Step 7: Edit the app from General settings and change Login initiated by to either Okta or App.
Step 8: Check Display application icon to users and Display application icon in the Okta Mobile app. Input your Dashboard link (https://dashboard.brex.com) as the initial sign-in URL.
Optional: After the application is created, you can also configure a specific sign-in policy for this application under the Sign-on tab.
Add Brex from Okta Integration Network (OIN)
Step 1: Sign in to your Okta admin console.
Step 2: Go to Applications > Applications, and browse the app catalog. Search “Brex” and add integration.
Step 3: Finish up the General Settings according to your needs and click Next.
Step 4: Choose OpenID Connect as your sign on methods and select Email as the Application username format. Click Done.
Step 5: Click Sign On tab and copy the Client ID, Client secret, and OpenID Provider Metadata’s URL into a text file. We’ll send you an email link to collect it.
Step 6: We’ll complete the SSO registration and enable both IdP-initiated flow and SP-initiated flow for you. Visit https://dashboard.brex.com/?iss=[oktaIssuer] to enter the SP-initiated flow. Please replace [oktaIssuer] with the issuer URL you can find in your OpenID provider metadata.
Exclude a user from SSO
If you’d like to exclude a user from SSO, you can invite them to your Brex account with an email alias of “+non-sso”. For example, if you wanted to forgo SSO for a user with the email address email@example.com, you can invite them as firstname.lastname@example.org. The user can then sign in using the same alias email address of email@example.com, at which time they won’t be routed through SSO.