Skip to main content
Applies to:
  • Plan -
  • Deployment -
Contact support@braintrust.dev to set up an SSO integration. Include the identity provider (IdP) your organization uses. Braintrust supports the following options:
  • SAML:
    • Okta Workforce
    • Microsoft Entra ID
    • Google Workspace
    • Custom SAML provider
  • OpenID Connect (OIDC):
    • Custom OIDC provider

Requirements

Include the following details in your request:
  • The IdP you will use
  • The email domain or domains to configure
  • Whether you want to enable IdP-initiated login
  • If you want Braintrust to assign new users to groups based on SAML groups, configure your IdP to send a SAML attribute named public_metadata_groups.
    • Send each group as a separate attribute value, not a comma-separated string.
    • Example: send engineering and admin as separate public_metadata_groups attribute values, not one value like engineering,admin.
    • Braintrust applies this mapping when a user first signs in. Later IdP group changes do not automatically update Braintrust group membership.
Depending on the IdP you use, provide the following details:

Okta Workforce

  • The metadata URL, or in its place:
    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer
    • The SSL/TLS certificate to use

Microsoft Entra ID

  • The metadata URL, or in its place:
    • Login URL
    • Microsoft Entra Identifier
    • The SSL/TLS certificate to use

Google Workspace

  • The metadata URL, or in its place:
    • SSO URL
    • Entity ID
    • The SSL/TLS certificate to use

Custom SAML provider

  • The metadata URL, or in its place:
    • SSO URL
    • Entity ID
    • The SSL/TLS certificate to use

Custom OIDC provider

  • The Discovery Endpoint, or in its place:
    • Authorization URL
    • Token URL
    • User Info URL
  • Client ID
  • Client Secret
  • Scopes, if any