How do I enable Security Assertion Markup Language (SAML) SSO?
Contact Support
Step 1: As an admin, contact Brex Support at support@brex.com or through live chat in your dashboard.
Step 2: Ask the specialist to set up SAML SSO on your Brex account.
Step 3: After verifying your identity as the admin on your account, please provide the answers to the following:
Who is your IdP Vendor (SSO Provider)?
Please confirm your email domain (eg. for Brex, it's ‘brex.com’).
Once SSO is ready to be enabled, who on your Brex account should be used for testing?
Do you have multiple Brex accounts that might share the same email domain?
Do you have more than one email domain on your account?
Are there any users who we need to exclude from SSO?
Please note that it may take five business days to complete the initial setup for SSO.
Step 4: A Developer Support Specialist will reach out via email with further setup instructions once we complete the initial setup.
General SAML integration
Step 1: Add the following to your service provider settings:
[Assertion Consumer Service URL / Reply URL]
[Audience URI / Identifier / Entity ID]
Step 2: Make sure these attribute statements are mapped properly without any namespaces:
firstName
lastName
email (required as the key to match users across your IdP and Brex)
Step 3: Share either the following details of the application you just created or the metadata URL with us, and we’ll complete the setup on our side:
Identity Provider Single Sign-On URL / SingleSignOnService Location in the metadata
Identity Provider Issuer / entityID in the metadata
X.509 Certificate
(Optional) IDP metadata XML file
Okta SAML integration
Step 1: Sign in as an admin in your Okta admin console.
Step 2: Create an Application Integration under Applications > Applications. Choose SAML 2.0 as the Sign-in method, and then click Next.
Step 3: Name the application integration “Brex” or “Brex Web App” so users can identify from the app launcher. You can also add the Brex logo (you can download the logo here).
Step 4: Configure SAML by inputting in the following:
Fill the field Single sign on URL with [Assertion Consumer Service URL]
Fill the field Audience URI (SP Entity ID) with [Audience URI]
Select Application user name as Email
Make sure its Attribute Statements are mapped properly:
firstName
lastName
email (required as the key to match users across your IdP and Brex)
Step 5: In the application you just created, click View SAML setup instructions. Share the following details of the application you just created with us, and we'll complete the setup on our side.
Identity Provider Single Sign-On URL
Identity Provider Issuer
X.509 Certificate
(Optional) IDP metadata XML file
Azure Active Directory SAML Integration
Step 1: Add a new application by going to the Azure Active Directory Admin Center and signing in with an admin account. Click Enterprise applications. The All applications pane opens and displays a list of your Azure AD tenant applications. Click New application.
Step 2: Browse Azure AD Gallery and click Create your own application. Name it "Brex" and select Integrate any other application you don't find in the gallery (Non-gallery).
Step 3: In the Manage section of the left menu, click Single sign-on and, in the Single sign-on panel, click SAML to open the SSO configuration page. After the application is configured, users can sign in to it by using their credentials from the Azure AD tenant.
Step 4: Set up a single sign-on with SAML using the following values:
Basic SAML Configuration
Identifier (Entity ID): fill in the [Audience URI / Identifier / Entity ID]
Reply URL (Assertion Consumer Service URL): fill in the [Assertion Consumer Service URL / Reply URL]
Attributes & Claims
Remove the namespace when configuring those claims.
SAML Signing Certificate
Download the certificate
Step 5: Send the following information to Brex:
Login URL
Azure AD Identifier
Certificate you downloaded in the previous step
Step 6: Once Brex finishes the setup, test your single sign-on.
Exclude a user from SSO
If you’d like to exclude a user from SSO, you can invite them to your Brex account with an email alias of “+non-sso”. For example, if you wanted to forgo SSO for a user with the email address email@domain.com, you can invite them as email+non-sso@domain.com. The user can then sign in using the same alias email address of email+non-sso@domain.com, at which time they won’t be routed through SSO.
If you want a previously invited user to be excluded from SSO, please contact our support team to have their email address updated to include the “+non-sso” email address.
Add Brex from Okta Integration Network (OIN)
Step 1: Sign in to your Okta admin console.
Step 2: Go to Applications > Applications, and browse the app catalog. Search “Brex” and add the integration.
Step 3: Finish up the General Settings according to your needs and click Next.
Step 4:
Choose SAML 2.0 as your sign-on methods.
Fill the field Single Sign On URL with [Assertion Consumer Service URL].
Fill the field Audience URI (SP Entity ID) with [Audience URI].
Select Email as the Application username format.
Click Done.
Step 5: In the application you just created, click View SAML setup instructions. Share the following details of the application you just created or the metadata URL with us, and we’ll complete the setup on our side.
Identity Provider Single Sign-On URL
Identity Provider Issuer
X.509 Certificate
(Optional) IDP metadata XML file
Step 6: We’ll complete the SSO registration and enable both IdP-initiated flow and SP-initiated flow for you. Visit https://dashboard.brex.com/?iss=[oktaIssuer] to enter the SP-initiated flow. Please replace [oktaIssuer] with the issuer URL you can find in your OpenID provider metadata.