Single sign-on with Google WorkspacePublic preview

A domain is the portion of an email address after the @ symbol (such as kavholm.com). You must configure SSO for Stripe for each of your business’s email domains. To verify domain ownership:

1. Navigate to User authentication in the Stripe Dashboard, and click + New domain to view your account’s unique verification code.
       stripe-verification=4242424242424242424242
   

2. Add the verification code as a TXT record to your Domain Name System (DNS) provider.
3. Return to the Stripe Dashboard, and click Save and verify. Depending on your DNS provider, it can take 24 hours or more to verify your domain.
4. After successful verification, don’t delete the TXT record from your DNS provider. If you delete it, you might lose access to the Dashboard because Stripe frequently checks the DNS records of your domain.

• To configure Google Workspace, create a new SAML application to represent the relationship between Google Workspace and the Stripe Dashboard. In the menu accessible at the top left, select Apps, and click Web and mobile apps.

• Click the Add app menu and select Add custom SAML app. On the App details screen, set the App name and any other parameters you need. Click Continue.

• Save the SSO URL, Entity ID, and download the certificate. You need these in step 3. Next, click Continue.

• On the Service Provider Details screen, configure the following:

  Setting	Value
  ACS URL	https://dashboard.stripe.com/login/saml/consume
  Entity ID	https://dashboard.stripe.com/saml/metadata
  Name ID	Basic Information and Primary Email
  Name ID Format	EMAIL

• Click Continue and then click Finish on next screen to complete the SAML application set up.

Create a Google Workspace custom user attribute

To authenticate a team member to Stripe, configure Google Workspace with the role they have in the Stripe Dashboard per Stripe account. To do this, create an Attribute Mapping from a Google Workspace user property to your SAML application, then create a custom user property in Google Workspace to store this information.

• In the admin console main menu at the top left, select Directory, and click Users.

• In the menu of the user list, click More options and select the Manage custom attributes item. In the top right, click Add custom attribute.

• Enter a Category, Description, and Name as needed. Select an Info type of Text, a Visibility of your choice, set No. of values to Single Value, then click Add.

Map user attributes to the Stripe Dashboard

• After you create your custom user property, map that property to an attribute in the SAML assertions your application sends. To navigate back to your SAML application in the main menu, click the menu icon in the top left, select Apps, then Web and mobile apps.

• Choose your new application from the list, then click Configure SAML attribute mapping in the SAML attribute mapping section.

• Add a row for each Stripe account you want to authenticate your team to, and click Save.
  • Google Directory attributes is the custom field you configured.
  • App attribute is the Stripe account to connect to. The format is Stripe-Role-. The account ID value is your currently logged in account, such as: .

Multiple Stripe accounts support

Add one Attribute Mapping per account.

You can find the list of account tokens in the Accounts section of your Profile.

Assign roles to your team

• After you set up your SAML application, enable it for your users. Click Edit service at the top right of the application details.

• Select ON for everyone, and click Save.

• For each team member, set a Stripe role on their User Information page in the Directory. Navigate there in the main menu by clicking Directory, then Users. Select the user you want to set a role for from the list, click User Information, and scroll down to your new attribute.

• To assign multiple roles to a user upon login, you can add a semicolon after each role. For example, you can set the attribute as analyst; developer. In this case, the user obtains the analyst and the developer role when they sign in.

Stripe supports distinct Dashboard roles for each Stripe account. This allows team members to have the appropriate permission for each account they have access to.

Stripe supports the following roles. For more information, see User roles supported by Stripe.

Enter values from your identity provider

Configure your Stripe account to connect to your identity provider from the User authentication page.

To configure Stripe to connect to your identity provider you’ll need:

• Issuer ID: An identifier of your identity provider.
• Identity provider URL: The URL of your identity provider that your team members are redirected to, so they can authenticate.
• Identity provider certificate: The X.509 certificate that your identity provider uses to signs assertions.

Find these values in your identity provider

If you don’t have these values from Step 1, navigate to the SAML application you created earlier, select Service Provider Details, and click Manage certificates.

This opens a new window with the following information:

Download a copy of Certificate 1 to allow you to copy the certificate to Stripe.

Test your configuration

Before saving your settings, a test runs to validate your SSO integration. After you click the Test button, a window opens in your browser that redirects to your identity provider to sign in. After you sign in, the window automatically closes and test results display on the original page.

If the test succeeds, you can save the settings, and select an enforcement mode. If the test fails, modify your configuration to address the issues reported and test the integration again.

Select an enforcement mode for SSO

When using SSO, there are three separate enforcement modes that you can choose from. These affect which methods of authentication your team members can use.