Below are some of the most frequently asked questions about Single Sign-On (SSO) and their answers.
How is SSO enabled?
Setting up SSO with Built is a coordinated process between your organization and your Implementation Manager or Client Success Manager. Internal IT departments are generally responsible for managing all internal user’s SSO configuration and permissions.
Note:
Learn more about SSO Set Up here.
How is SSO enforced?
Enabling SSO enforcement globally for your organization is a coordinated process between your organization and your Implementation Manager or Client Success Manager. Internal IT departments are generally responsible for managing SSO configuration and permissions. If SSO is enforced for all users, users can only login to Built through SSO.
If SSO is enforced, how do I get access to Built?
If SSO enforcement globally for your organization, each user accessing Built must be configured to have SSO access properly enabled. Internal IT teams will be responsible for setting up the user's SSO configuration. Refer to internal IT teams for administering access for users.
What is an Org ID or Organization ID? What should I put for it when logging in?
An Org ID (Organization ID) is a security measure that redirects users to your institution’s login screen for Built. Your organization’s Built sponsor, typically the person who has Technical or Lender Administrator access for your institution, set up the Org ID with Built during your implementation. Refer to internal teams to confirm your Organization ID if needed
What is the SSO response URL?
The SSO response URL is a specific endpoint on the Service Provider's (SP) application where the Identity Provider (IdP) sends the authentication token or SAML response after a user successfully signs in. This URL is also commonly known by several other names: Assertion Consumer Service (ACS) URL, Reply URL, Recipient URL, Destination URL, Callback URL, Target URL. You may call it by the platform name, such as Okta, AzureAD, Pind Fedra, or ADFS. During the SSO setup process, an administrator for the Service Provider must provide this URL to the Identity Provider, or vice-versa, to establish a trusted connection. The exact URL is specific to the application you are integrating with and your organization's specific configuration. It is not a universal URL.
Can Built auto-provision users?
Not at this time. Auto-provisioning entails custom coding for each client. Our current process enables us to get our clients up and running as fast as possible while we continue to develop.
How should I send my SAML 2.0 metadata? URL or XML file?
Either option is fine, but we prefer you send us a URL. The URL information updates automatically if there are any changes. Sending us the URL means that we can get that information ourselves rather than have you send us an updated file.
Can I use IDP-initiated auth?
At this time, we only support SP-initiated auth. Anything using IDP-initiated auth, even if it is just a part like the test button in OKTA, isn’t supported at this time.
Troubleshooting error messages
“Invalid SAML response received: PreSignUp failed with error Unable to automatically create SSO-enabled account. Confirm SSO details have been configured for user”
This error indicates that the user does not exist in Built. The user may be provisioned in your system; however, they must be added to Built to complete the process and successfully log in as that user. The organization’s Lender or Technical Administrator will need to add a user.
“Invalid SAML response received: PreSignUp failed with error {“errors”: [“Missing email address”]}”
This error indicates that either a user has not been created with these credentials, or the credentials entered don’t match what has been created.The organization’s Lender or Technical Administrator will need to add a user or confirm the existing user’s credentials. ![Invalid SAML response received: PreSignUp failed with error {"errors": ["Missing email address"]} error](https://cdn.document360.io/b8e7a68c-6af4-4b6e-8d8d-23371810eaa1/Images/Documentation/8d293317-5f58-4905-91c9-f948241cb278?sv=2022-11-02&spr=https&st=2026-02-04T02%3A17%3A54Z&se=2026-02-04T02%3A31%3A54Z&sr=c&sp=r&sig=9QwhV0%2F4vFze8sLfPsTXKxAD%2FdtQUEaaxnfhSeX%2Bsws%3D)
“Invalid Email Address: Your account is not set up for single sign on. Please contact your IT administrator for more information”
This error indicates your organization has already been set up for Single Sign-On access, which means you can’t use your email address to login to Built. Instead, enter your Organization ID in the field below to log in. Refer to internal teams to confirm your Organization ID if needed.
“Please contact your administrator to assign access to this application”
This error indicates the user has not yet been configured with Single Sign-On access within your organization. Refer to internal IT teams for administering access for this user.
FAQ
What responsibilities does the internal IT department have regarding SSO?
The internal IT department is responsible for managing user SSO configurations and permissions within the organization.
What happens if a user is not configured for SSO access?
If a user is not configured for SSO access, they will not be able to log in to Built and will need to contact their internal IT team for assistance.
Can I change my SSO settings after they have been configured?
Changes to SSO settings typically require coordination with your Implementation Manager or Client Success Manager.
What should I do if I forget my Organization ID?
If you forget your Organization ID, you should reach out to your internal teams or the Built sponsor at your institution for assistance.
Is it possible to use SSO with multiple Identity Providers?
Currently, Built supports SSO with specific Identity Providers as configured during the setup process.