Configure SSO With Auth0

Prev Next

Overview

Branch uses Auth0 to enable single sign-on (SSO), which allows you to manage your team's access to the Branch Dashboard through your identity provider (IdP).

Using SSO makes it easier to add or remove Branch users, and improves their login experience.

Configure SSO

To configure SSO, you'll need to set up Branch in your IdP and enter your IdP information in the Branch Dashboard.

Before you begin

Before you begin, ensure you have:

  • Admin access to your Branch Dashboard.

  • Admin access to your organization's IdP (e.g., Okta, Azure AD).

  • SSO enabled for your account.

    • Access to SSO requires a premium plan. Please contact our Sales team to learn more about pricing and availability.

Note

Please follow the steps below whether you’re setting up SSO for the first time or you’re an existing customer using Branch SSO and migrating.

Step 1: Select identity provider

  1. Navigate to the SSO page in Branch:

    1. Legacy experience: Account Settings → SSO.

    2. New experience: Configuration → Account Settings → SSO.

  2. Click the Setup SSO button.

  3. You will be taken to a new browser tab. In this tab, click Get Started.

  4. In the Select Your Identity Provider section, select Custom SAML. Then click Next.

Step 2: Configure custom SAML

Branch configuration settings for SAML application including Single Sign-On URL and Entity ID.

Step 2.1: Create application

  1. Use the values provided for Single Sign-On URL and Service Provider Identity ID to create a generic SAML application in your Identity Provider.

  2. Click Next.

Step 2.2: Configure connection

  1. Configure a connection between your IdP and Branch. You have two options for this:

    1. Automatic: Provide the Metadata URL to your IdP. This URL needs to be publicly accessible and ensures your IdP provides important information like login URL and certificate, OR

    2. Manual: Configure the Single Sign-On URL and upload a Signing Certificate manually.

  2. Whether you choose automatic or manual connection configuration, you have the option to set the Advanced Settings to configure request signing if required by your IdP:

    1. Check the Sign Request checkbox.

    2. When enabled, the SAML authentication request will be signed. Download the certificate and upload it to your IdP to validate the signature.

    3. Select an option for Sign Request Algorithm (RSA-SHA256 recommended).

    4. Select an option for Sign Request Algorithm Digest (SHA256 recommended).

    5. Select an option for Request Protocol Binding (HTTP-Post recommended).

      Branch settings for SAML authentication request signing and algorithm selection options displayed.

  3. Click Create Connection. You will see an alert modal letting you know that doing this will enable SSO access to Branch.

  4. Click Proceed.

Step 2.3: Attribute mapping

  1. Set up attribute mapping to ensure user information syncs correctly between your identity provider and Branch. You will need to include:

    1. Email

    2. First name

    3. Last name

  2. Configure these attributes in your IdP to pass the correct data to Branch.

  3. Click Next.

Step 2.4: Test SSO

  1. Click Test Connection. This will cause the Branch configuration page to enter “listening mode”.

  2. Log in using your IdP in the new tab.

  3. Return to see the “Testing complete!” confirmation message.

  4. Important: Click Enable SSO to activate SSO. Without this step, the SSO configuration will not take effect.

  5. You can now close the new tab.

Email domain configuration

Branch's SSO uses email domains to determine which users can authenticate through your SSO connection.

Existing SSO customers migrating from legacy SSO

Previously configured email domains carry over from your current SSO setup.

New SSO customers (as of August 2025)

Branch uses the email domain of the user setting up SSO.

If you are running into restrictions related to the list of email domains that can be configured for your setup, please contact Support at [email protected] (include your name and app ID) to update the values in the list.

Using SSO

Once your SSO connection is configured and enabled, your team can access Branch through your IdP.

Branch Dashboard access

Users with email addresses matching your configured domains will be automatically redirected to your IdP when accessing the Branch Dashboard.

After successful authentication, they'll be logged into Branch.

User management

Manage users through your IdP.

Users with email addresses matching your configured domains will automatically authenticate through SSO when accessing Branch.

Modify settings

Click Configure SSO in your Branch Dashboard SSO settings to modify your SSO configuration.

Previously configured values (login URL, certificate, domains) remain populated for easy editing.

Connection status

Your SSO configuration page displays the current connection status and configured email domains after successful setup.

Troubleshooting

Connection issues

  • Verify your identity provider metadata URL is accessible.

  • If you uploaded a signing certificate, make sure it is valid and properly formatted.

  • Check that your attribute mappings match your IdP configuration.

User access issues

  • Confirm user email domains match your configured email domains list.

  • Verify that users are assigned to the appropriate application in your IdP.

  • Check that required attributes are being passed.


FAQ

What is the purpose of using Auth0 for Branch?

Auth0 enables single sign-on (SSO) for managing team access to the Branch Dashboard through an identity provider (IdP).

I already have Branch SSO set up. Do I use this same guide to migrate to Auth0?

Yes, existing Branch SSO users should follow the same steps in this guide to migrate to the new Auth0 system.

What do I need to configure SSO for Branch?

You need admin access to your Branch account and your organization's IdP, as well as SSO enabled for your account.

SSO requires a premium plan. Please contact the Sales team for pricing and availability.

How can I test the SSO connection after configuration?

You can test the connection by clicking Test Connection on the Branch configuration page and logging in using your IdP.

What should I do if users are having access issues?

Confirm that user email domains match the configured email domains and verify that users are assigned to the appropriate application in your IdP.