> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Setting up SSO integration in Braintrust

export const plans_0 = "Enterprise"

export const deployments_0 = "Any"

export const data_plane_version_0 = undefined

export const use_case_0 = "SSO"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

Contact [support@braintrust.dev](mailto:support@braintrust.dev) to set up an SSO integration. Include the identity provider (IdP) your organization uses. Braintrust supports the following options:

* SAML:
  * Okta Workforce
  * Microsoft Entra ID
  * Google Workspace
  * Custom SAML provider
* OpenID Connect (OIDC):
  * Custom OIDC provider

# Requirements

Include the following details in your request:

* The IdP you will use
* The email domain or domains to configure
* Whether you want to enable IdP-initiated login, such as launching Braintrust from an Okta tile
* If you want Braintrust to assign new users to groups based on SAML groups, configure your IdP to send a SAML attribute named `public_metadata_groups`.
  * Send each group as a separate attribute value, not a comma-separated string.
  * Example: send `engineering` and `admin` as separate `public_metadata_groups` attribute values, not one value like `engineering,admin`.
  * Braintrust applies this mapping when a user first signs in. Later IdP group changes do not automatically update Braintrust group membership.

Depending on the IdP you use, provide the following details:

# Okta Workforce

* The metadata URL, or in its place:
  * Identity Provider Single Sign-On URL
  * Identity Provider Issuer
  * The SSL/TLS certificate to use

# Microsoft Entra ID

* The metadata URL, or in its place:
  * Login URL
  * Microsoft Entra Identifier
  * The SSL/TLS certificate to use

# Google Workspace

* The metadata URL, or in its place:
  * SSO URL
  * Entity ID
  * The SSL/TLS certificate to use

# Custom SAML provider

* The metadata URL, or in its place:
  * SSO URL
  * Entity ID
  * The SSL/TLS certificate to use

# Custom OIDC provider

* The Discovery Endpoint, or in its place:
  * Authorization URL
  * Token URL
  * User Info URL
* Client ID
* Client Secret
* Scopes, if any
