Applies to:
- Plan -
- Deployment -
Summary
Issue: Users can sign in from braintrust.dev, but clicking the Braintrust tile in Okta fails withRelayState parameter is missing from the SAML Response or saml_response_relaystate_missing.
Cause: This can happen when IdP-initiated login has not been enabled for the Braintrust SAML connection. Other SAML configuration issues can produce similar Okta tile failures, so verify the direct Braintrust login path before changing Okta settings.
Resolution: Contact Braintrust support and ask them to verify that IdP-initiated login is enabled for your SAML connection.
Resolution steps
Step 1: Confirm the error
Check whether the failing Okta tile flow returns an error like:Step 2: Compare with direct Braintrust sign-in
Go directly to braintrust.dev and sign in with SSO.- If direct sign-in works but the Okta tile fails, ask Braintrust support to verify the IdP-initiated login setting for your SAML connection.
- If direct sign-in also fails, continue troubleshooting the broader SAML setup, including the metadata URL, identity provider issuer, certificate, email domain, and user assignment.
Step 3: Ask Braintrust support to verify IdP-initiated login
Open a support ticket and include:- The identity provider you use, such as Okta Workforce.
- The affected email domain.
- A screenshot or copy of the missing RelayState error.
- Whether direct sign-in from braintrust.dev succeeds.
Step 4: Test the Okta tile again
After support confirms the SAML connection update, refresh Okta and try the Braintrust tile again.Temporary workaround
If users need access before the Okta tile is fixed, have them sign in from braintrust.dev directly.Notes
- Do not assume this error requires changing the Okta Default RelayState value. Braintrust support should verify the SAML connection settings first.
- If users see
saml_email_address_domain_mismatch, follow the SAML domain mismatch troubleshooting guide instead.