> ## Documentation Index > Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt > Use this file to discover all available pages before exploring further. # SSO login fails with 'did not grant access' error export const plans_0 = "Enterprise" export const deployments_0 = "Any" export const data_plane_version_0 = undefined export const use_case_0 = "Use case - Enterprise users with SSO/IdP authentication who see a Clerk OAuth 'did not grant access' error when logging in" **Applies to:** * Plan - {plans_0} * Deployment - {deployments_0} * {data_plane_version_0} * {use_case_0} ## Summary **Issue:** Users see a "You did not grant access" error when signing in via SSO. The error occurs when the IdP receives `access_type=offline` in OAuth requests but doesn't support refresh tokens. **Cause:** Clerk sends `access_type=offline` to request refresh tokens, but some IdPs reject this parameter when refresh tokens aren't supported. **Resolution:** Switch from OAuth to SAML authentication, which doesn't include the `access_type=offline` parameter. ## Resolution steps ### Step 1: Verify the root cause Check your IdP logs for failed authentication requests containing `access_type=offline`. This parameter requests refresh tokens during user inactivity. ### Step 2: Switch to SAML authentication Contact Braintrust support to migrate from OAuth to SAML. You'll need to provide: * SSO URL * Entity ID * Certificate * Metadata URL (if available) ### Step 3: Configure SAML on your IdP Your IT team will need to: 1. Create SAML clients for each Braintrust org 2. Generate metadata XML files 3. Configure the SSO URL endpoint ### Step 4: Test the SAML connection Once Braintrust support enables SAML, test login for each configured org to confirm the error is resolved. ## Alternative workarounds If switching to SAML isn't immediately possible: ### Try a regular browser session Close incognito/private windows and sign in from a regular Chrome or Safari session. Clear cookies for `braintrust.dev` before attempting login. ### Verify IdP user assignment Have your IT team confirm the user is assigned to the Braintrust application in your organization's IdP. ## What this error means The "You did not grant access" screen is a Clerk-rendered OAuth error that appears when the IdP rejects the authentication request. Unlike network errors or VPN blocks, this error indicates the request successfully reached Braintrust's auth layer but failed during the IdP handoff. Common OAuth parameters that cause IdP rejections: * `access_type=offline` (requests refresh tokens) * Missing user assignments * Expired certificates