Service Provider (SP) Initiated Login

Requirements

Upon setup, you will be asked to provide a Sign-On URL and an Assertion Consumer Service (ACS) URL.

Requirement Details
Sign-On URL https://<SUBDOMAIN>.braze.com/sign_in
For the subdomain, use the coordinating subdomain listed in your Braze instance URL. For example, if your instance is US-01, your URL is https://dashboard-01.braze.com. This means that your subdomain will be dashboard-01.
Assertion Consumer Service (ACS) URL https://<SUBDOMAIN>/auth/saml/callback
For some IdPs, this can also be referred to as the Reply URL, Entity ID, Audience URL, or Audience URI.

Configure Your Identity Provider

First, you must setup Braze as a Service Provider (SP) in your Identity Provider (IdP) with the information below.

In addition, you’ll need to setup SAML attribute mapping.

SAML Attribute Required? Accepted SAML Attributes
email Required email
mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
first_name Optional first_name
firstname
firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/first_name
last_name Optional last_name
lastname
lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/last_name

Configure Braze

Once you have setup Braze within your IdP, they will provide a Target URL and x.509 certificate which you will input into your Braze account.

After your Account Manager has enabled SAML SSO for your account, go to Company Settings > Security Settings and toggle the SAML SSO section to ON.

On this page, you, input:

Requirement Details
SAML Name This will appear as the button text on the login screen. This is typically your IdP name, like “Okta.”
Target URL This is provided after setting up Braze within your IdP. Some IdPs reference this as the SSO URL or SAML 2.0 Endpoint.
Certificate The x.509 certificate is provided by your IdP.

Enable SAML SSO

When you save your Security Settings and log out, you should now be able to sign in with your IdP.

Login Page with SSO

Create and Enable a Braze API Key for IdP Login (Optional)

To enable IdP initiated login, you will first need to create an API Key in Developer Settings > API Settings.

SSO Set Up

Input the generated API Key as the RelayState parameter within your IdP, which will be used to identity which company the user is trying to log into.

WAS THIS PAGE HELPFUL?
New Stuff!