Signing into Brex
Overview
Depending on what works best for your team, you have several options that they can use to access their Brex account from either the dashboard or mobile app.
Brex email and password
When signing into either your Brex dashboard on the web or the Brex app on mobile, you have the option to manually enter the email address and password associated with your Brex account. All Brex users are required to use multi-factor authentication to provide an added layer of security to their account, and this method would require two-factor authentication (2FA) and/or device verification.
Enterprise IdP login
The Enterprise IdP login gives your employees the option to sign into their Brex account using Google or Microsoft logins.
- This will make it easier for your employees to access the Brex dashboard and reduce the number of passwords they need to remember.
- You can leverage the advantages of single sign-on (SSO) without having your own dedicated IdP.
Note: The email associated with the Google or Microsoft account must match the email associated with the Brex account. Any account admin or card admin on your account can enable this feature in their dashboard: Click your name in the top right corner and go to Company settings > Company. Toggle on Enable logins with Google and Microsoft.
Once turned on, your employees will be able to Sign in with Google or Sign in with Microsoft on the Brex sign-in page. Prior to an account admin or card admin enabling these features, clicking either button will result in an error message.
Single Sign-On (SSO)
Brex allows your team to utilize an SSO with your Identity Provider (IdP) by leveraging OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). Brex’s SSO integration provides a seamless way to sign in with your own IdPs and also eliminates the need for employees to enter credentials to prove their identities repeatedly. After the initial setup effort, SSO gives you more control to easily turn off employee access, greater security in a remote-first world, and better speed and efficiency with Brex. To use SSO with Brex, you will need:
- An Identity Provider (IdP) to facilitate SSO that supports either OpenID Connect (OIDC) or SAML protocol such as Okta, OneLogin, Google Workplace, etc.
- A technical point-of-contact who can provide Brex with the following SSO configuration information:
- For OIDC configurations:
- A customer’s Client ID and Client Secret
- A customer’s OIDC domain URL where the /.well-known/openid-configuration endpoint is hosted
- Employee email domain
- For SAML configurations:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
- (Optional) IDP metadata XML file
- For OIDC configurations:
Depending on if you use OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) you can connect your SSO by following the relevant instructions below.
Security Assertion Markup Language (SAML) SSO
Step 1: As an account admin or card admin, contact Brex Support at support@brex.com or through live chat in your dashboard. Step 2: Ask the specialist to set up SAML SSO on your Brex account. Step 3: After verifying your identity as the account admin or card admin on your account, please provide the answers to the following:
- Who is your IdP Vendor (SSO Provider)?
- Please confirm your email domain (e.g., for Brex, it’s ‘brex.com’).
- Once SSO is ready to be enabled, who on your Brex account should be used for testing?
- Do you have multiple Brex accounts that might share the same email domain?
- Do you have more than one email domain on your account?
- Are there any users who we need to exclude from SSO?
Note: It may take five business days to complete the initial setup for SSO. Step 4: A Developer Support Specialist will reach out via email with further setup instructions once we complete the initial setup.
OpenID Connect (OIDC) SSO
Initial setup
Step 1: Sign in as an account admin or card admin to your IdP console. Step 2: Follow your IdP guidelines to create a Web OIDC application or client. Enter this redirect URL: https://accounts-api.brex.com/oauth2/v1/authorize/callback Step 3: As an account admin or card admin, contact Brex Support at support@brex.com or through live chat in your dashboard. Step 4: Ask the specialist to set up OIDC SSO on your Brex account. They'll provide you with a secure link to submit the information in Step 5. Step 5: After verifying your identity as an account admin or card admin, please provide the answers to the following questions by using the secure link that the specialist provided in Step 4:
- What is your client ID and client secret?
- What is your OIDC domain URL where /.well-known/openid-configuration endpoint is hosted?
- Who is your IdP Vendor (SSO Provider)?
- Please confirm your email domain (e.g., for Brex, it’s ‘brex.com’).
- Once SSO is ready to be enabled, who on your Brex account should be used for testing?
- Do you have multiple Brex accounts that might share the same email domain?
- Do you have more than one email domain on your account?
- Are there any users who we need to exclude from SSO?
Note: It may take five business days to complete the initial setup for SSO. Step 6: A Developer Support Specialist will reach out via email with further setup instructions once we complete the initial setup.
Okta OIDC integration
Step 1: Start at Step 3 from the instructions above. Step 2: Sign in to your Okta admin console. Step 3: Create an Application Integration under Applications > Applications. Under Sign-in Method, choose OIDC - OpenID Connect. Under Application Type, choose Web Application. Click Next. Step 4: Name the application integration “Brex” or “Brex Web App” so users can identify it from the app launcher. You can also add the Brex logo. Step 5: Use https://accounts-api.brex.com/oauth2/v1/authorize/callback as the sign-in redirect URL and your Brex dashboard link (http://dashboard.brex.com/) as the sign-out redirect URL. Add implicit for grant type and leave other optional fields as they are. Step 6: For controlled access, choose either Allow everyone in your organization to access or Limit access to selected groups for a gradual rollout. Click Save. Step 7: Edit the app from General settings and change Login initiated by to either Okta or App. Step 8: Check Display application icon to users and Display application icon in the Okta Mobile app. Input your Dashboard link (https://dashboard.brex.com) as the initial sign-in URL. Optional: After the application is created, you can also configure a specific sign-in policy for this application under the Sign-on tab.
Add Brex from Okta Integration Network (OIN)
Step 1: Sign in to your Okta admin console. Step 2: Go to Applications > Applications, and browse the app catalog. Search “Brex” and add integration. Step 3: Finish up the General Settings according to your needs and click Next. Step 4: Choose OpenID Connect as your sign on methods and select Email as the Application username format. Click Done. Step 5: Click Sign On tab and copy the Client ID, Client secret, and OpenID Provider Metadata’s URL into a text file. We’ll send you an email link to collect it. Step 6: We’ll complete the SSO registration and enable both IdP-initiated flow and SP-initiated flow for you. Visit https://dashboard.brex.com/?iss=[oktaIssuer] to enter the SP-initiated flow. Please replace [oktaIssuer] with the issuer URL you can find in your OpenID provider metadata.
Exclude a user from SSO
If you’d like to exclude a user from SSO, you can invite them to your Brex account with an email alias of “+non-sso”. For example, if you wanted to forgo SSO for a user with the email address email@domain.com, you can invite them as email+non-sso@domain.com. The user can then sign in using the same alias email address of email+non-sso@domain.com, at which time they won’t be routed through SSO.
1Password
You can use 1Password to securely allow multiple users to access your Brex account. Reminder that all credentials should remain secret; credentials should only be shared with verified users via 1Password sharing, which converts shared credentials to hidden. Step 1: Install 1Password as a browser extension. Store the Brex username/password in 1Password (using a password manager is a good way to protect your credentials in general). Step 2: Edit your 2FA method from within the Brex dashboard and choose Authenticator app. Step 3: Go to this link and follow the steps under To save your QR code using 1Password in your browser. Step 4: Use 1Password as your 2FA authenticator (instead of Google Authenticator, Twilio Authy, etc.) for the same username. This user credential can be shared with coworkers via 1Password, and the password remains hashed and will not be visible. The next time you or another authorized user signs in, 1Password will auto-generate and fill in the password — or you can copy the password from the browser extension to manually fill in upon sign-in.