Skip to content
Create account
or
Sign in
The Stripe Docs logo
/
Ask AI
Create account
Sign in
Get started
Payments
Finance automation
Platforms and marketplaces
Money management
Developer tools
Get started
Payments
Finance automation
Get started
Payments
Finance automation
Platforms and marketplaces
Money management
OverviewExplore all products
Start building
Start developing
Sample projects
About the APIs
Build with LLMs
Use Stripe without code
Set up Stripe
Create an account
    Overview
    Activate your account
    Add funds to your balance
    Account checklist
    Acceptable verification documents
    Account structure
    Start a team
    Organizations
      Build an organization
      Manage access to your organization
      Manage SSO
      Share customers and payment methods
      Supported setups
    Multiple separate accounts
    Linked external accounts
    Settings
    Branding
    Statement descriptors
    Custom email domain
    Custom domain
    Single sign-on
    Stripe Verified
Web Dashboard
Mobile Dashboard
Migrate to Stripe
Manage fraud risk
Understand fraud
Radar fraud protection
Manage disputes
Verify identities
HomeGet startedCreate an accountOrganizations

Organization-level SSO

Manage single sign-on (SSO) for all accounts within your organization.

Copy page

If your business operates across multiple Stripe accounts and uses single sign-on (SSO) to authenticate users, you can centrally configure SSO with Stripe Organizations. You can add accounts that already have SSO configured to an organization, or configure SSO for all your accounts after you create an organization.

Add accounts that you configured with SSO to an organization

If you have multiple accounts with SSO configured, you can’t preserve their individual SSO settings in your organization. You must consolidate multiple authentication apps into a single authentication app for multiple accounts.

When you create your organization, Stripe consolidates the SSO settings of your accounts under your organization’s user authentication settings. This action updates the SSO settings in each individual account to read-only. You can still log into individual accounts, but you must edit settings like verified domains and enforcement exclusively from the organization.

After setting up your organization with SSO, you can add accounts that either don’t use SSO or that share the organization’s SSO configuration. You can’t add accounts that have separate SSO authentication.

Configure SSO throughout an organization

Instead of setting up SSO separately in each account, you can centrally configure SSO throughout all accounts in your organization. Any organization-level verified domains or SSO configurations apply to all accounts within the organization.

Initial SSO setup

To set up SSO on Stripe for the first time, see Single sign-on.

SSO settings for each domain

You can configure separate SSO settings for each verified domain or reuse the same SSO settings for multiple domains. For example, within the same organization, you can require SSO for one domain, set SSO to Optional for another, or disable it entirely to enable email and password logins.

Multiple Identity Providers

Stripe allows you to have multiple IdPs when each verified domain has only one IdP. For example, you can configure users with a rocketrides.com email address to authenticate with Okta and configure users with a rocketdelivery.com email address to authenticate with AzureAD.

Assign account-level and organization-level roles

Organization-level SSO operates similarly to SSO in a single account. When Stripe receives a SAML assertion from an IdP, we examine the accounts and roles specified within that SAML assertion. Based on this information, Stripe assigns roles to the user. You can assign a single account-level role, a single organization-level role, or a combination of both account-level and organization-level roles.

When you assign these roles, use the Stripe-Role-{accountID} or Stripe-Role-{org-id} prefixes for the account and organization IDs respectively. We assign claims that include an account ID at the account-level, and claims that include organization IDs at the organization-level. Learn more about account-level and organization-level roles.

The snippet of the SAML assertion below has three claims being made for the user:

  1. In acct_ONE the user is being assigned the developer role
  2. In acct_TWO the user is being assigned the developer role
  3. In org_ALPHA the user is being assigned the view-only role

As a result of these assertions, Stripe grants this user a session with the developer role in the acct_ONE and acct_TWO accounts. Additionally, we assign the view-only role in the org-ALPHA Organization and all accounts within that Organization:

<saml2:Attribute Name="Stripe-Role-acct_ONE" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="Stripe-Role-acct_TWO" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue> <saml2:Attribute Name="Stripe-Role-org_ALPHA" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view_only</saml2:AttributeValue>
Was this page helpful?
YesNo
Need help? Contact Support.
Join our early access program.
Check out our changelog.
Questions? Contact Sales.
LLM? Read llms.txt.
Powered by Markdoc