Service Provider (SP) Initiated Login
This article will walk you through how to enable SAML single sign-on for your Braze account.
Upon setup, you will be asked to provide a Sign-On URL and an Assertion Consumer Service (ACS) URL.
For the subdomain, use the coordinating subdomain listed in your Braze instance URL. For example, if your instance is
|Assertion Consumer Service (ACS) URL||
For some IdPs, this can also be referred to as the Reply URL, Audience URL, or Audience URI.
SAML SSO Set Up
Configure Your Identity Provider
First, you must set up Braze as a Service Provider (SP) in your Identity Provider (IdP) with the information below.
In addition, you’ll need to set up SAML attribute mapping.
|SAML Attribute||Required?||Accepted SAML Attributes|
Braze only requires
Once you have set up Braze within your IdP, they will provide a Target URL and
x.509 certificate which you will input into your Braze account.
After your Account Manager has enabled SAML SSO for your account, go to
Company Settings >
Security Settings and toggle the SAML SSO section to
On this page, you, input:
||This will appear as the button text on the login screen.
This is typically your IdP name, like “Okta.”
||This is provided after setting up Braze within your IdP.
Some IdPs reference this as the SSO URL or SAML 2.0 Endpoint.
Please make sure that your certificate follows this format when adding it to the dashboard:
1 2 3 -----BEGIN CERTIFICATE----- <certificate> -----END CERTIFICATE-----
When you save your Security Settings and log out, you should now be able to sign in with your IdP.
Create and Enable a Braze API Key for IdP Login (Optional)
To enable IdP initiated login, you will first need to create an API Key in
Developer Console >
Input the generated API Key as the
RelayState parameter within your IdP, which will be used to identify which company the user is trying to log into.
Members who opt to use SSO will no longer be able to use their password as they did prior. Users who continue to use their password will be able to unless restricted by the settings below.
You can also choose to restrict the members of your organization to sign-in with either Google SSO or SAML SSO. In order to enable, go to
Company Settings >
Security Settings and select
Restrict Single Sign-On.
By enabling this option, your company’s Braze users will no longer be able to log in using a password, even if they have logged in with a password before.