Microsoft Entra SSO
Microsoft Entra SSO is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources. You can use Entra SSO to control access to your apps and your app resources, based on your business requirements.
Requirements
Upon setup, you will be asked to provide a sign-on URL and an Assertion Consumer Service (ACS) URL.
| Requirement | Details |
|---|---|
| Sign-On URL | https://<SUBDOMAIN>.braze.com/sign_in For the subdomain, use the coordinating subdomain listed in your Braze instance URL. For example, if your instance is US-01, your URL is https://dashboard-01.braze.com. This means that your subdomain will be dashboard-01. |
| Assertion Consumer Service (ACS) URL | https://<SUBDOMAIN>.braze.com/auth/saml/callback For some identity providers, this can also be referred to as the Reply URL, Audience URL, or Audience URI. |
| Entity ID | braze_dashboard |
| RelayState API key | To enable identity provider login, go to Settings > API Keys and create an API key with sso.saml.login permissions. |
If you are using the older navigation, you can find your API keys under Settings at Developer Console > API Settings.
Service Provider (SP) initiated login within Microsoft Entra SSO
Step 1: Add Braze from the gallery
- In your Microsoft Entra admin center, go to Identity > Applications > Enterprise Applications, and then select New application.
- Search for Braze in the search box, select it from the result panel, and then select Add.
Step 2: Configure Microsoft Entra SSO
- In your Microsoft Entra admin center, go to your Braze application integration page and select Single sign-on.
- On the Select a single sign-on method page, select SAML as your method.
- On the Set up Single Sign-On with SAML page, select the edit icon for Basic SAML Configuration.
- Configure the application in IdP-initiated mode by entering a Reply URL that combines your Braze instance with the following pattern:
https://<SUBDOMAIN>.braze.com/auth/saml/callback. - Optionally configure RelayState by entering your Relay State generated API key into the Relay State (Optional) field.
- If you want to configure the application in SP-initiated mode, select Set additional URLs and enter a sign on URL that combines your Braze instance with the following pattern:
https://<SUBDOMAIN>.braze.com/sign_in. - Format SAML assertions in the specific format expected by Braze. Refer to the following tabs on user attributes and user claims to understand how these attributes and values must be formatted.
You can manage the values of these attributes from the User Attributes section on the Application Integration page.
Use the following attribute pairings:
givenname=user.givennamesurname=user.surnameemailaddress=user.mailname=user.userprincipalnameemail=user.userprincipalnamefirst_name=user.givennamelast_name=user.surnameUnique User Identifier=user.userprincipalname
It is critically important that the email field match what is set up for your users in Braze. In most cases, this will be the same as user.userprincipalname however, if you have a different configuration, work with your system administrator to ensure that these fields match exactly.
On the Set up Single Sign-On with SAML page, select Edit to open the User Attributes dialog. Then, edit the user claims according to the proper format.
Use the following claim name pairings:
claims/givenname=user.givennameclaims/surname=user.surnameclaims/emailaddress=user.userprincipalnameclaims/name=user.userprincipalnameclaims/nameidentifier=user.userprincipalname
It is critically important that the email field match what is set up for your users in Braze. In most cases, this will be the same as user.userprincipalname however, if you have a different configuration, work with your system administrator to ensure that these fields match exactly.
You can manage these user claims and values from the Manage claim section.
- Go to the Set up Single Sign-On with SAML page, then scroll to the SAML Signing Certificate section and download the appropriate Certificate (Base64) based on your requirements.
- Go to the Set up Braze section and copy the appropriate URLs for use in the Braze configuration.
Step 3: Configure Microsoft Entra SSO within Braze
After you’ve set up Braze within Microsoft Entra admin center, Microsoft Entra will provide a target URL (login URL) and x.509 certificate which you will input into your Braze account.
After your account manager has enabled SAML SSO for your account, do the following:
- Go to Settings > Admin Settings > Security Settings and toggle the SAML SSO section to ON.
If you are using the older navigation, select your account icon and go to Company Settings > Security Settings to find the SAML SSO section.
- On the same page, add the following:
| Requirement | Details |
|---|---|
SAML Name |
This will appear as the button text on the login screen. This is typically your identity provider’s name, like “Microsoft Entra.” |
Target URL |
This is the login URL provided by Microsoft Entra. |
Certificate |
The x.509 PEM encoded certificate is provided by your identity provider. |
If you want your Braze account users to only sign in with SAML SSO, you can restrict single sign-on authentication from the Company Settings page.
Edit this page on GitHub