Single sign-on with Azure Active DirectoryPublic preview
Learn how to setup single sign-on in the Dashboard with Azure Active Directory.
Stripe supports Single Sign-On (SSO), allowing you to manage your team’s access and roles through your identity provider (IdP). This means your team can access Stripe without needing separate passwords. When SSO is configured, users (team members) are automatically redirected to your IdP for authentication when they sign in to Stripe.
Your IdP verifies if they have a valid role assignment to your Stripe accounts or organization, and generates a SAML assertion used by Stripe to assign the proper roles in the Stripe Dashboard. When your account requires SSO, you must update team roles through your Identity Provider (IdP) for security. Changes to a team member’s roles only appear in Stripe after they sign in to the Dashboard again using the updated SAML assertion.
Set up SSO
To integrate your Stripe account with your IdP, complete the following steps:
- Prove ownership of the domains that your team uses to sign in to the Dashboard.
- Configure Azure Active Directory to work with Stripe.
- Configure Stripe to work with Azure Active Directory.
Proving Domain Ownership
A domain is the portion of an email address after the @
symbol (such as kavholm.
). You must configure SSO for Stripe for each of your business’s email domains. To verify domain ownership:
- Navigate to User authentication in the Stripe Dashboard, and click + New domain to view your account’s unique verification code.
stripe-verification=4242424242424242424242
- Add the verification code as a
TXT
record to your Domain Name System (DNS) provider. - Return to the Stripe Dashboard, and click Save and verify. Depending on your DNS provider, it can take 24 hours or more to verify your domain.
- After successful verification, don’t delete the
TXT
record from your DNS provider. If you delete it, you might lose access to the Dashboard because Stripe frequently checks the DNS records of your domain.
Multiple Stripe accounts support
If you’re configuring SSO for multiple Stripe accounts, you must create an organization to centrally configure SSO across all of your accounts. Alternatively, contact Stripe support to verify your domain across separate accounts with one shared verification code.
Configuring Azure Active Directory
Caution
These instructions assume you already have a Directory in your Azure account.
Create an application
To configure Azure AD, create a new application to represent the relationship between Azure AD and the Stripe Dashboard.
Navigate to Azure Active Directory on the left panel, then select Enterprise Applications.
Click New application. Choose Non-gallery application from the Add an application window. Enter a name, and press Add.
When the app has been created, click on Single sign-on under the Manage section of the menu. Select SAML.
On this form, edit the Basic SAML Configuration.
Enter the following values, then click Save.
Setting Value Identifier https://dashboard.
stripe. com/saml/metadata Reply URL https://dashboard.
stripe. com/login/saml/consume Make sure that the signing algorithm configuration is correct. Edit the SAML Signing Certificate section and verify the following settings:
- Signing Option:
Sign SAML assertion
- Signing Algorithm:
SHA-256
Assign roles to your team
Assign Stripe roles to your users by configuring Claims that contain the desired Stripe role in Azure. The name
of the claim represents the Stripe account where you want to set roles. The value
of the claim represents the roles you want to assign.
Stripe supports the following roles. Some of these roles are only available if your account uses the applicable Stripe product. For more information, see User roles supported by Stripe.
Role | Value |
---|---|
Administrator | admin |
Analyst | analyst |
Cardholder | cardholder |
Connect Onboarding Analyst | connect_ |
Connect Risk Analyst | connect_ |
Data Migration Specialist | date_ |
Developer | developer |
Dispute Analyst | dispute_ |
Financial Connections Specialist | financial_ |
IAM Admin | iam_ |
Identity Analyst | identity_ |
Identity View only | identity_ |
Issuing Support Agent | issuing_ |
Opal View only | opal_ |
Sandbox Administrator | sandbox_ |
Sandbox User | sandbox_ |
Super Administrator | super_ |
Support Associate | support_ |
Support Communications | support_ |
Support only | support_ |
Support Specialist | support_ |
Refund Analyst | refund_ |
Tax Analyst | tax_ |
Terminal Specialist | terminal_ |
Topups only | topups_ |
Top-up Specialist | topup_ |
Transfer Analyst | transfer_ |
View only | view_ |
Add a Claim
- Edit the Attributes & Claims section.
- Change the Name identifier value field, so that its Source attribute is
user.
.mail - Click the Add new claim button. For this new claim:
- Set the Name to
Stripe-Role-{{STRIPE_
. This identifies which Stripe account you authenticate your team member to (and is set to whichever Stripe account you’re signed in to while viewing this page, currently: )ACCOUNT_ ID}} - Set the Source attribute to your team member’s Dashboard role.
- To assign multiple roles to a user during login, you can add a semicolon after each role. For example, you can set the attribute as
analyst; developer;
. In this case, the user obtains theanalyst
and thedeveloper
role when they sign in.
- Set the Name to
Assign roles based on group membership
To assign roles based on a user’s group membership, you can use Claim conditions to scope a claim’s value to a particular condition.
- Expand the Claim conditions section on the Manage claim page.
- In the User type column, select Members from the dropdown.
- Click the Select groups link to pick the groups you want to receive a particular role.
- In the Source column, select Attribute from the dropdown.
- Set the Value column to the Dashboard role that you would like members of that group to receive.
- To assign multiple roles to group members, separate each role with a semicolon.
Multiple Stripe accounts
Add a Claim per Stripe account. For a list of account IDs navigate to the list of account tokens in the Accounts section of your Profile.
Assign users to the new application
Navigate back to your application (on the Enterprise Applications page), and select the Users & Groups menu item. Here, you can assign team members to your application. For each team member you want to authenticate to the Stripe Dashboard, you’ll need to assign them to the application either directly, or using a group.
Configuring Stripe
Configure your Stripe account to connect to your identity provider from the User authentication page.
To configure Stripe to connect to your identity provider, you need:
- Issuer ID: An identifier of your identity provider.
- Identity provider URL: The URL of your identity provider that your team members are redirected to, so they can authenticate.
- Identity provider certificate: The X.509 certificate that your identity provider uses to signs assertions.
Find these values in your identity provider
In Azure Active Directory, you can find these values by navigating back to the application you created and selecting the Single sign-on tab.
Name of property in Stripe | Name of property in Azure AD |
---|---|
Issuer ID | Azure AD Identifier |
Identity provider URL | Login URL |
Identity provider certificate | Certificate (Base64) |
Test your configuration
Before saving your settings, a test runs to validate your SSO integration. After you click the Test button, a window opens in your browser that redirects to your identity provider to sign in. After you sign in, the window automatically closes and test results display on the original page.
If the test succeeds, you can save the settings, and select an enforcement mode. If the test fails, modify your configuration to address the issues reported and test the integration again.
Select an enforcement mode for SSO
When using SSO, there are three separate enforcement modes that you can choose from. These affect which methods of authentication your team members can use.
Mode | SSO authentication allowed | Regular authentication allowed |
---|---|---|
Off | No | Yes |
Optional | Yes | Yes |
Required | Yes | No |
Authenticate with SSO
Note
Stripe supports Just-in-Time (JIT) account provisioning. If a team member doesn’t have a Stripe account at the time of authentication, we create one for them with the role specified in the SAML assertion.
After you finish configuring SSO, your team members can sign in with any of these methods:
IdP-initiated login
To use IdP-initiated login, the IdP needs to support Service Provider-initiated login. Refer to your IdP’s documentation.
SSO URL
Use the following login URL with your domain to directly sign in to your account with SSO. This URL includes the domain and account you want to use for SSO authentication. If you change the account token at the end of the URL, it authenticates you against a different account.
https://dashboard.stripe.com/login/saml_direct/domain/{{YOUR_DOMAIN}}/merchant/{{STRIPE_ACCOUNT_ID}}
Support for multiple Stripe accounts
Support for multiple Stripe accounts: Change the account token at the end of the SSO URL to authenticate against another account. You can find the list of account tokens in the Accounts section of your Profile.
Multiple IdP connections: If you have multiple Stripe businesses with multiple IdP settings (for example, different SAML endpoints or issuer IDs) but sharing the same domain, we recommend using login URLs.
Stripe’s sign in page
Go to the Stripe sign in page and select Use single sign-on (SSO) instead.
If a team member has access to only SAML merchants, or does not have access to any merchants, Stripe redirects them to your identity provider, regardless of the contents in the password field.
Support for multiple Stripe accounts
If a team member has access to multiple accounts, Stripe sign in authenticates them with the default account connected to the team member.