Skip to content
Create account
 or
Sign in
The Stripe Docs logo
/
Create account
Sign in

Single sign-on with Azure Active DirectoryPublic preview

Learn how to setup single sign-on in the Dashboard with Azure Active Directory.

Stripe supports Single Sign-On (SSO), allowing you to manage your team’s access and roles through your identity provider (IdP). This means your team can access Stripe without needing separate passwords. When SSO is configured, users (team members) are automatically redirected to your IdP for authentication when they sign in to Stripe.

Your IdP verifies if they have a valid role assignment to your Stripe accounts or organization, and generates a SAML assertion used by Stripe to assign the proper roles in the Stripe Dashboard. When your account requires SSO, you must update team roles through your Identity Provider (IdP) for security. Changes to a team member’s roles only appear in Stripe after they sign in to the Dashboard again using the updated SAML assertion.

Set up SSO

To integrate your Stripe account with your IdP, complete the following steps:

  1. Prove ownership of the domains that your team uses to sign in to the Dashboard.
  2. Configure Azure Active Directory to work with Stripe.
  3. Configure Stripe to work with Azure Active Directory.

Proving Domain Ownership

A domain is the portion of an email address after the @ symbol (such as kavholm.com). You must configure SSO for Stripe for each of your business’s email domains. To verify domain ownership:

  1. Navigate to User authentication in the Stripe Dashboard, and click + New domain to view your account’s unique verification code. 
        stripe-verification=4242424242424242424242
  2. Add the verification code as a TXT record to your Domain Name System (DNS) provider.
  3. Return to the Stripe Dashboard, and click Save and verify. Depending on your DNS provider, it can take 24 hours or more to verify your domain.
  4. After successful verification, don’t delete the TXT record from your DNS provider. If you delete it, you might lose access to the Dashboard because Stripe frequently checks the DNS records of your domain.

Multiple Stripe accounts support

If you’re configuring SSO for multiple Stripe accounts, you must create an organization to centrally configure SSO across all of your accounts. Alternatively, contact Stripe support to verify your domain across separate accounts with one shared verification code.

Configuring Azure Active Directory

Caution

These instructions assume you already have a Directory in your Azure account.

Create an application

  • To configure Azure AD, create a new application to represent the relationship between Azure AD and the Stripe Dashboard. To do this, navigate to Azure Active Directory on the left panel, then select Enterprise Applications.
  • Click New application. Choose Non-gallery application from the Add an application window. Enter a name, and press Add.
  • When the app has been created, click on Single sign-on under the Manage section of the menu. Select SAML.
  • On this form, edit the Basic SAML Configuration.

  • Enter the following values, then click Save.

    SettingValue
    Identifierhttps://dashboard.stripe.com/saml/metadata
    Reply URLhttps://dashboard.stripe.com/login/saml/consume

  • Make sure that the signing algorithm configuration is correct. Edit the SAML Signing Certificate section and verify the following settings:

    • Signing Option: Sign SAML assertion
    • Signing Algorithm: SHA-256

Assign roles to your team

To authenticate a team member to Stripe, configure your identity provider with the role they’ll have in the Stripe Dashboard. This is achieved by providing an Attribute Statement with each assertion that Azure AD sends to Stripe.

  1. Edit the User Attributes & Claims section.
  2. Change the Name identifier value field, so that its Source attribute is user.mail.
  3. Click the Add new claim button. For this new claim:
    • Set the Name to Stripe-Role-. This identifies which Stripe account you authenticate your team member to (and is set to whichever Stripe account you’re signed in to while viewing this page, currently: )
    • Set the Source attribute to your team member’s Dashboard role.
    • To assign multiple roles to a user during login, you can add a semicolon after each role. For example, you can set the attribute as analyst; developer;. In this case, the user obtains the analyst and the developer role when they sign in.

Configure Dashboard roles in your settings.

Stripe supports the following roles. For more information, see User roles supported by Stripe.

RoleValue
Administratoradmin
Analystanalyst
Cardholdercardholder
Connect Onboarding Analystconnect_onboarding_analyst
Connect Risk Analystconnect_risk_analyst
Data Migration Specialistdate_migration_specialist
Developerdeveloper
Dispute Analystdispute_analyst
Financial Connections Specialistfinancial_connections_specialist
IAM Adminiam_admin
Identity Analystidentity_analyst
Identity View onlyidentity_view_only
Issuing Support Agentissuing_support_agent
Opal View onlyopal_view_only
Sandbox Administratorsandbox_admin
Sandbox Usersandbox_user
Super Administratorsuper_admin
Support Associatesupport_associate
Support Communicationssupport_communications
Support onlysupport_only
Support Specialistsupport_specialist
Refund Analystrefund_analyst
Tax Analysttax_analyst
Terminal Specialistterminal_specialist
Topups onlytopups_only
Top-up Specialisttopup_specialist
Transfer Analysttransfer_analyst
View onlyview_only

Multiple Stripe accounts support

Add a Claim per Stripe account.

Navigate to the list of account tokens in the Accounts section of your Profile.

Navigate back to your application (on the Enterprise Applications page), and select the Users & Groups menu item. Here, you can assign team members to your application. For each team member you want to authenticate to the Stripe Dashboard, you’ll need to assign them to the application either directly, or using a group.

Configuring Stripe

Configure your Stripe account to connect to your identity provider from the User authentication page.

To configure Stripe to connect to your identity provider, you need:

  • Issuer ID: An identifier of your identity provider.
  • Identity provider URL: The URL of your identity provider that your team members are redirected to, so they can authenticate.
  • Identity provider certificate: The X.509 certificate that your identity provider uses to signs assertions.

Find these values in your identity provider

In Azure Active Directory, you can find these values by navigating back to the application you created and selecting the Single sign-on tab.

Name of property in StripeName of property in Azure AD
Issuer IDAzure AD Identifier
Identity provider URLLogin URL
Identity provider certificateCertificate (Base64)

Test your configuration

Before saving your settings, a test runs to validate your SSO integration. After you click the Test button, a window opens in your browser that redirects to your identity provider to sign in. After you sign in, the window automatically closes and test results display on the original page.

If the test succeeds, you can save the settings, and select an enforcement mode. If the test fails, modify your configuration to address the issues reported and test the integration again.

Select an enforcement mode for SSO

When using SSO, there are three separate enforcement modes that you can choose from. These affect which methods of authentication your team members can use.

ModeSSO authentication allowedRegular authentication allowed
OffNoYes
OptionalYesYes
RequiredYesNo

Authenticate with SSO

Note

Stripe supports Just-in-Time (JIT) account provisioning. If a team member doesn’t have a Stripe account at the time of authentication, we create one for them with the role specified in the SAML assertion.

After you finish configuring SSO, your team members can sign in with any of these methods:

IdP-initiated login

To use IdP-initiated login, the IdP needs to support Service Provider-initiated login. Refer to your IdP’s documentation.

SSO URL

Use the following login URL with your domain to directly sign in to your account with SSO. This URL includes the domain and account you want to use for SSO authentication. If you change the account token at the end of the URL, it authenticates you against a different account.

https://dashboard.stripe.com/login/saml_direct/domain/{{YOUR_DOMAIN}}/merchant/

Support for multiple Stripe accounts

Support for multiple Stripe accounts: Change the account token at the end of the SSO URL to authenticate against another account. You can find the list of account tokens in the Accounts section of your Profile.

Multiple IdP connections: If you have multiple Stripe businesses with multiple IdP settings (for example, different SAML endpoints or issuer IDs) but sharing the same domain, we recommend using login URLs.

Stripe’s sign in page

Go to the Stripe sign in page and select Use single sign-on (SSO) instead.

If a team member has access to only SAML merchants, or does not have access to any merchants, Stripe redirects them to your identity provider, regardless of the contents in the password field.

Support for multiple Stripe accounts

If a team member has access to multiple accounts, Stripe sign in authenticates them with the default account connected to the team member.

Was this page helpful?
YesNo
Need help? Contact Support.
Join our early access program.
Check out our product changelog.
Questions? Contact Sales.
Powered by Markdoc
On this page
Set up SSO
Proving Domain Ownership
Configuring Azure Active Directory
Create an application
Configuring Stripe
Authenticate with SSO
IdP-initiated login
SSO URL
Stripe’s sign in page