> ## Documentation Index > Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt > Use this file to discover all available pages before exploring further. # SAML login fails with email domain mismatch export const plans_0 = "Enterprise" export const deployments_0 = "Any" export const data_plane_version_0 = undefined export const use_case_0 = "Use case - Enterprise users with SAML SSO who see a domain mismatch error because their email domain differs from the configured SAML connection domain" **Applies to:** * Plan - {plans_0} * Deployment - {deployments_0} * {data_plane_version_0} * {use_case_0} ## Summary **Issue:** Users see a `saml_email_address_domain_mismatch` error when attempting to log in via a SAML SSO integration (e.g., from an Okta tile). The error indicates the user's email domain does not match the domain configured on the SAML connection. **Cause:** The SAML integration in Braintrust is configured to allow only a specific email domain, and the user's email belongs to a different domain (such as a subsidiary or related company). **Resolution:** Contact Braintrust support to add the additional email domain to the existing SAML integration. ## Resolution steps ### If a user from a secondary domain cannot log in via SAML #### Step 1: Confirm the error Verify the user is seeing a `saml_email_address_domain_mismatch` error. The error response will show the `expected_domain` (configured) and `received_domain` (user's actual domain). ```json theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}} { "code": "saml_email_address_domain_mismatch", "meta": { "expected_domain": "example.com", "received_domain": "subsidiary.com" } } ``` #### Step 2: Contact Braintrust support Open a support ticket and provide: * The affected user's email domain * Your organization's existing SAML integration name or IdP (e.g., Okta) Braintrust support will add the additional domain to your SAML connection. No changes to your IdP configuration are required. #### Step 3: Verify access Once support confirms the update, have the affected user attempt login again.