How do I enable Security Assertion Markup Language (SAML) SSO?


Contact Support

Step 1: As an admin, contact Brex Support at support@brex.com or through Live Chat on the dashboard.

Step 2: Ask the specialist to set up SAML SSO on your Brex account

Step 3: After verifying your identity as the admin on your account, please provide the answers to the following questions:

  • Who is your IdP Vendor (SSO Provider)?

  • Please confirm your email domain (eg. for Brex, it is ‘brex.com’).

  • Once SSO is ready to be enabled, who on your Brex account should be used for testing?

  • Do you have multiple Brex accounts that might share the same email domain?

  • Do you have more than one email domain on your account?

  • Are there any users who we need to exclude from SSO?

Please note that it may take 5 business days to complete the initial setup for SSO.

Step 4: A Developer Support Specialist will reach out via email with further setup instructions once we complete the initial setup.

General SAML integration

Step 1: Add the following to your service provider settings:

  • [Assertion Consumer Service URL / Reply URL]

  • [Audience URI / Identifier / Entity ID]

Step 2: Make sure these attribute statements are mapped properly without any namespaces:

  • firstName

  • lastName

  • email  (required as the key to match users across your IdP and Brex)

Step 3: Share the following details of the application you just created and we’ll complete the setup on our side:

  • Identity Provider Single Sign-On URL / SingleSignOnService Location in the metadata

  • Identity Provider Issuer / entityID in the metadata

  • X.509 Certificate

  • (Optional) IDP metadata XML file

Okta SAML integration

Step 1: Sign in as an admin in your Okta admin console.

Step 2: Create an Application Integration under Applications > Applications. Choose SAML 2.0 as the Sign-in method, and then click Next.

Step 3: Name the application integration “Brex” or “Brex Web App” so users can identify from the app launcher. You can also add the Brex Logo (download link).

Step 4: Configure SAML by inputting in the following:

  • Fill the field Single sign on URL with [Assertion Consumer Service URL]

  • Fill the field Audience URI (SP Entity ID) with [Audience URI]

  • Select Application user name as Email

  • Make sure its Attribute Statements are mapped properly:

    • firstName

    • lastName

    • email (required as the key to match users across your IdP and Brex)

Step 5: In the application you just created, click View SAML setup instructions. Share the following details of the application you just created with us, and we will complete the setup on our side.

  • Identity Provider Single Sign-On URL

  • Identity Provider Issuer

  • X.509 Certificate

  • (Optional) IDP metadata XML file

Azure Active Directory SAML Integration

Step 1: Add a new application by going to the Azure Active Directory Admin Center and signing in with an admin account. Click Enterprise applications. The All applications pane opens and displays a list of your Azure AD tenant applications. Click New application.

Step 2: Browse Azure AD Gallery and click Create your own application. Name it "Brex" and select Integrate any other application you don't find in the gallery (Non-gallery).

Step 3: In the Manage section of the left menu, click Single sign-on and, in the Single sign-on panel, click SAML to open the SSO configuration page. After the application is configured, users can sign in to it by using their credentials from the Azure AD tenant.

Step 4: Set up a single sign-on with SAML using the following values:

  1. Basic SAML Configuration

    1. Identifier (Entity ID): fill in the [Audience URI / Identifier / Entity ID]

    2. Reply URL (Assertion Consumer Service URL): fill in the [Assertion Consumer Service URL / Reply URL]

  2. Attributes & Claims

CX - SSO 01

Remove the namespace when configuring those claims.

  1. SAML Signing Certificate

    1. Download the certificate

Step 5: Send the following information to Brex:

  1. Login URL

  2. Azure AD Identifier

  3. Certificate you downloaded in the previous step

Step 6: Once Brex finishes the setup, test your single sign-on.

Exclude a user from SSO

If you’d like to exclude a user from SSO, you can invite them to your Brex account with an email alias of “+non-sso”. For example, if you wanted to forgo SSO for a user with the email address email@domain.com, you can invite them as email+non-sso@domain.com. The user can then sign in using the same alias email address of email+non-sso@domain.com, at which time they won’t be routed through SSO.

If you want a previously invited user to be excluded from SSO, please contact our support team to have their email address updated to include the “+non-sso” email address.

Was this article helpful?

|

Still can't find what you're looking for?

Chat with us->