Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

Issue: Users see a saml_email_address_domain_mismatch error when attempting to log in via a SAML SSO integration (e.g., from an Okta tile). The error indicates the user’s email domain does not match the domain configured on the SAML connection. Cause: The SAML integration in Braintrust is configured to allow only a specific email domain, and the user’s email belongs to a different domain (such as a subsidiary or related company). Resolution: Contact Braintrust support to add the additional email domain to the existing SAML integration.

Resolution steps

If a user from a secondary domain cannot log in via SAML

Step 1: Confirm the error

Verify the user is seeing a saml_email_address_domain_mismatch error. The error response will show the expected_domain (configured) and received_domain (user’s actual domain). 
{
  "code": "saml_email_address_domain_mismatch",
  "meta": {
    "expected_domain": "example.com",
    "received_domain": "subsidiary.com"
  }
}

Step 2: Contact Braintrust support

Open a support ticket and provide:
  • The affected user’s email domain
  • Your organization’s existing SAML integration name or IdP (e.g., Okta)
Braintrust support will add the additional domain to your SAML connection. No changes to your IdP configuration are required.

Step 3: Verify access

Once support confirms the update, have the affected user attempt login again.