Skip to content
Create account
 or
Sign in
The Stripe Docs logo
/
Create account
Sign in

Organization-level SSO

Manage single sign-on (SSO) for all accounts within your organization.

Copy page

If your business operates across multiple Stripe accounts and uses single sign-on (SSO) to authenticate users, you can centrally configure SSO with Stripe Organizations. You can add accounts that already have SSO configured to an organization, or configure SSO for all your accounts after you create an organization.

Add accounts that you configured with SSO to an organization

If you have multiple accounts with SSO configured, you can’t preserve their individual SSO settings in your organization. You must consolidate multiple authentication apps into a single authentication app for multiple accounts.

When you create your organization, Stripe consolidates the SSO settings of your accounts under your organization’s user authentication settings. This action updates the SSO settings in each individual account to read-only. You can still log into individual accounts, but you must edit settings like verified domains and enforcement exclusively from the organization.

After setting up your organization with SSO, you can add accounts that either don’t use SSO or that share the organization’s SSO configuration. You can’t add accounts that have separate SSO authentication.

Configure SSO throughout an organization

Instead of setting up SSO separately in each account, you can centrally configure SSO throughout all accounts in your organization. Any organization-level verified domains or SSO configurations apply to all accounts within the organization.

Initial SSO setup

To set up SSO on Stripe for the first time, see Single sign-on.

SSO settings for each domain

You can configure separate SSO settings for each verified domain or reuse the same SSO settings for multiple domains. For example, within the same organization, you can require SSO for one domain, set SSO to Optional for another, or disable it entirely to enable email and password logins.

Multiple Identity Providers

Stripe allows you to have multiple IdPs when each verified domain has only one IdP. For example, you can configure users with a rocketrides.com email address to authenticate with Okta and configure users with a rocketdelivery.com email address to authenticate with AzureAD.

Assign account-level and organization-level roles

Organization-level SSO operates similarly to SSO in a single account. When Stripe receives a SAML assertion from an IdP, we examine the accounts and roles specified within that SAML assertion. Based on this information, Stripe assigns roles to the user. You can assign a single account-level role, a single organization-level role, or a combination of both account-level and organization-level roles.

When you assign these roles, use the Stripe-Role-{accountID} or Stripe-Role-{org-id} prefixes for the account and organization IDs respectively. We assign claims that include an account ID at the account-level, and claims that include organization IDs at the organization-level. Learn more about account-level and organization-level roles.

The snippet of the SAML assertion below has three claims being made for the user:

  1. In acct_ONE the user is being assigned the developer role
  2. In acct_TWO the user is being assigned the developer role
  3. In org_ALPHA the user is being assigned the view-only role

As a result of these assertions, Stripe grants this user a session with the developer role in the acct_ONE and acct_TWO accounts. Additionally, we assign the view-only role in the org-ALPHA Organization and all accounts within that Organization:

      <saml2:Attribute Name="Stripe-Role-acct_ONE" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="Stripe-Role-acct_TWO" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
      <saml2:Attribute Name="Stripe-Role-org_ALPHA" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view_only</saml2:AttributeValue>
Was this page helpful?
YesNo
Need help? Contact Support.
Join our early access program.
Check out our changelog.
Questions? Contact Sales.
LLM? Read llms.txt.
Powered by Markdoc