Skip to content
Create account
 or
Sign in
The Stripe Docs logo
/
Create account
Sign in

Organisation-level SSOPublic preview

Manage single sign-on (SSO) for all accounts within your organisation.

Copy page

If your business operates across multiple Stripe accounts and uses single sign-on (SSO) to authenticate users, you can centrally configure SSO with Stripe Organisations. You can add accounts that already have SSO configured to an organisation, or configure SSO for all your accounts after you create an organisation.

Add accounts that you configured with SSO to an organisation

If you have multiple accounts with SSO configured, you can’t preserve their individual SSO settings in your organisation. You must consolidate multiple authentication apps into a single authentication app for multiple accounts.

When you create your organisation, Stripe consolidates the SSO settings of your accounts under your organisation’s user authentication settings. This action updates the SSO settings in each individual account to read-only. You can still log into individual accounts, but you must edit settings like verified domains and enforcement exclusively from the organisation.

After setting up your organisation with SSO, you can add accounts that either don’t use SSO or that share the organisation’s SSO configuration. You can’t add accounts that have separate SSO authentication.

Configure SSO throughout an organisation

Instead of setting up SSO separately in each account, you can centrally configure SSO throughout all accounts in your organisation. Any organisation-level verified domains or SSO configurations apply to all accounts within the organisation.

Initial SSO setup

To set up SSO on Stripe for the first time, see Single sign-on.

SSO settings for each domain

You can configure separate SSO settings for each verified domain or reuse the same SSO settings for multiple domains. For example, within the same organisation, you can require SSO for one domain, set SSO to Optional for another, or disable it entirely to enable email and password logins.

Multiple Identity Providers

Stripe allows you to have multiple IdPs when each verified domain has only one IdP. For example, you can configure users with a rocketrides.com email address to authenticate with Okta and configure users with a rocketdelivery.com email address to authenticate with AzureAD.

Assign account-level and organisation-level roles

Organisation-level SSO operates similarly to SSO in a single account. When Stripe receives a SAML assertion from an IdP, we examine the accounts and roles specified within that SAML assertion. Based on this information, Stripe assigns roles to the user. You can assign a single account-level role, a single organisation-level role, or a combination of both account-level and organisation-level roles.

When you assign these roles, use the Stripe-Role-{accountID} or Stripe-Role-{org-id} prefixes for the account and organisation IDs respectively. We assign claims that include an account ID at the account-level, and claims that include organisation IDs at the organisation-level. Learn more about account-level and organisation-level roles.

The snippet of the SAML assertion below has three claims being made for the user:

  1. In acct_ONE the user is being assigned the developer role
  2. In acct_TWO the user is being assigned the developer role
  3. In org_ALPHA the user is being assigned the view-only role

As a result of these assertions, Stripe grants this user a session with the developer role in the acct_ONE and acct_TWO accounts. Additionally, we assign the view-only role in the org-ALPHA Organisation and all accounts within that Organisation:

      <saml2:Attribute Name="Stripe-Role-acct_ONE" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="Stripe-Role-acct_TWO" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
      <saml2:Attribute Name="Stripe-Role-org_ALPHA" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view_only</saml2:AttributeValue>
Was this page helpful?
YesNo
Need help? Contact Support.
Join our early access programme.
Check out our changelog.
Questions? Contact Sales.
LLM? Read llms.txt.
Powered by Markdoc