Skip to content
Create account
 or
Sign in
The Stripe Docs logo
/
Create account
Sign in

Organisation-level SSOPublic preview

Manage single sign-on (SSO) for all accounts within your organisation.

If your business operates across multiple Stripe accounts and uses single sign-on (SSO) to authenticate users, you can centrally configure SSO with Stripe Organisations. You can add accounts that already have SSO configured to an organisation, or configure SSO for all your accounts after you create an organisation.

Add accounts that you configured with SSO to an organisation

If you have already configured SSO across multiple accounts, your accounts must share the same SSO settings before you can add them to an organisation. To do this, you must consolidate separate identity provider (IdP) apps and SSO integrations for each Stripe account into a single integration per IdP. Learn how to consolidate SSO integrations for your existing Stripe accounts.

When you create your organisation, Stripe consolidates the SSO settings of your accounts under your organisation’s user authentication settings. This action changes the SSO settings in each individual account to read-only. Users of the account can still sign in to their accounts without using SSO. However, you can only edit specific settings, such as settings related to verified domains and enforcement, at the organisation level.

After setting up your organisation with SSO, you can add accounts that don’t use SSO and accounts that share the organisation’s SSO configuration.

Configure SSO throughout an organisation

Instead of setting up SSO separately in each account, you can centrally configure SSO throughout all accounts in your organisation. Any organisation-level verified domains or SSO configurations apply to all accounts within the organisation.

Initial SSO setup

To set up SSO on Stripe for the first time, see Single sign-on.

SSO settings for each domain

You can configure separate SSO settings for each verified domain or reuse the same SSO settings for multiple domains. For example, within the same organisation, you can require SSO for one domain, set SSO to Optional for another, or disable it entirely to enable email and password logins.

Multiple Identity Providers

Stripe allows you to have multiple IdPs when each verified domain has only one IdP. For example, you can configure users with a rocketrides.com email address to authenticate with Okta and configure users with a rocketdelivery.com email address to authenticate with AzureAD.

Assign account-level and organisation-level roles

Organisation-level SSO operates similarly to SSO in a single account. When Stripe receives a SAML assertion from an IdP, we examine the accounts and roles specified within that SAML assertion. Based on this information, Stripe assigns roles to the user. You can assign a single account-level role, a single organisation-level role, or a combination of both account-level and organisation-level roles.

When you assign these roles, use the Stripe-Role-{accountID} or Stripe-Role-{org-id} prefixes for the account and organisation IDs respectively. We assign claims that include an account ID at the account-level, and claims that include organisation IDs at the organisation-level. Learn more about account-level and organisation-level roles.

The snippet of the SAML assertion below has three claims being made for the user:

  1. In acct_ONE the user is being assigned the developer role
  2. In acct_TWO the user is being assigned the developer role
  3. In org_ALPHA the user is being assigned the view-only role

As a result of these assertions, Stripe grants this user a session with the developer role in the acct_ONE and acct_TWO accounts. Additionally, we assign the view-only role in the org-ALPHA Organisation and all accounts within that Organisation:

      <saml2:Attribute Name="Stripe-Role-acct_ONE" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="Stripe-Role-acct_TWO" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
      <saml2:Attribute Name="Stripe-Role-org_ALPHA" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view_only</saml2:AttributeValue>
Was this page helpful?
YesNo
Need help? Contact Support.
Join our early access programme.
Check out our product changelog.
Questions? Contact Sales.
Powered by Markdoc