Skip to content
Create account
 or
Sign in
The Stripe Docs logo
/
Create account
Sign in

Organization-level SSOPublic preview

Manage single sign-on (SSO) for all accounts within your organization.

If your business operates across multiple Stripe accounts and uses single sign-on (SSO) to authenticate users, you can centrally configure SSO with Stripe Organizations. You can add accounts that already have SSO configured to an organization, or configure SSO for all your accounts after you create an organization.

Add accounts that you configured with SSO to an organization

If you have already configured SSO across multiple accounts, your accounts must share the same SSO settings before you can add them to an organization. To do this, you must consolidate separate identity provider (IdP) apps and SSO integrations for each Stripe account into a single integration per IdP. Learn how to consolidate SSO integrations for your existing Stripe accounts.

When you create your organization, Stripe consolidates the SSO settings of your accounts under your organization’s user authentication settings. This action changes the SSO settings in each individual account to read-only. Users of the account can still sign into their accounts without using SSO. However, you can only edit specific settings, such as settings related to verified domains and enforcement, at the organization level.

After setting up your organization with SSO, you can add accounts that don’t use SSO and accounts that share the organization’s SSO configuration.

Configure SSO throughout an organization

Instead of setting up SSO separately in each account, you can centrally configure SSO throughout all accounts in your organization. Any organization-level verified domains or SSO configurations apply to all accounts within the organization.

Initial SSO setup

To set up SSO on Stripe for the first time, see Single sign-on.

SSO settings for each domain

You can configure separate SSO settings for each verified domain or reuse the same SSO settings for multiple domains. For example, within the same organization, you can require SSO for one domain, set SSO to Optional for another, or disable it entirely to enable email and password logins.

Multiple Identity Providers

Stripe allows you to have multiple IdPs when each verified domain has only one IdP. For example, you can configure users with a rocketrides.com email address to authenticate with Okta and configure users with a rocketdelivery.com email address to authenticate with AzureAD.

Assign account-level and organization-level roles

Organization-level SSO operates similarly to SSO in a single account. When Stripe receives a SAML assertion from an IdP, we examine the accounts and roles specified within that SAML assertion. Based on this information, Stripe assigns roles to the user. You can assign a single account-level role, a single organization-level role, or a combination of both account-level and organization-level roles.

When you assign these roles, use the Stripe-Role-{accountID} or Stripe-Role-{org-id} prefixes for the account and organization IDs respectively. We assign claims that include an account ID at the account-level, and claims that include organization IDs at the organization-level. Learn more about account-level and organization-level roles.

The snippet of the SAML assertion below has three claims being made for the user:

  1. In acct_ONE the user is being assigned the developer role
  2. In acct_TWO the user is being assigned the developer role
  3. In org_ALPHA the user is being assigned the view-only role

As a result of these assertions, Stripe grants this user a session with the developer role in the acct_ONE and acct_TWO accounts. Additionally, we assign the view-only role in the org-ALPHA Organization and all accounts within that Organization:

      <saml2:Attribute Name="Stripe-Role-acct_ONE" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="Stripe-Role-acct_TWO" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
      <saml2:Attribute Name="Stripe-Role-org_ALPHA" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view_only</saml2:AttributeValue>
Was this page helpful?
YesNo
Need help? Contact Support.
Join our early access program.
Check out our product changelog.
Questions? Contact Sales.
Powered by Markdoc
On this page
Add accounts that you configured with SSO to an organization
Configure SSO throughout an organization
Initial SSO setup
SSO settings for each domain
Multiple Identity Providers
Assign account-level and organization-level roles