Skip to content
Create account
or
Sign in
The Stripe Docs logo
/
Ask AI
Create account
Sign in
Get started
Payments
Finance automation
Platforms and marketplaces
Money management
Developer tools
Get started
Payments
Finance automation
Get started
Payments
Finance automation
Platforms and marketplaces
Money management
OverviewExplore all products
Start building
Start developing
Sample projects
About the APIs
Building with LLMs
Use Stripe without code
Set up Stripe
Create an account
    Overview
    Activate your account
    Add funds to your balance
    Account checklist
    Acceptable verification documents
    Account structure
    Start a team
    Organizations
    Multiple separate accounts
    Linked external accounts
    Settings
    Branding
    Statement descriptors
    Custom email domain
    Custom domain
    Single sign-on
      Setup SSO
        Auth0
        Entra ID
        Google Workspace
        Okta
        OneLogin
        Other
      Consolidate SSO
      Troubleshoot SSO
    Stripe Verified
Products and prices
Web Dashboard
Mobile Dashboard
Migrate to Stripe
Migrate customer data
Migrate payment data
Migrate subscriptions
Manage fraud risk
Understand fraud
Radar fraud protection
Manage disputes
Verify identities
Regulatory support
HomeGet startedCreate an accountSingle sign-onSetup SSO

Single sign-on with OneLoginPublic preview

Learn how to setup single sign-on in the Dashboard with OneLogin.

Copy page

Stripe supports Single Sign-On (SSO), allowing you to manage your team’s access and roles through your identity provider (IdP). This means your team can access Stripe without needing separate passwords. When SSO is configured, users (team members) are automatically redirected to your IdP for authentication when they sign in to Stripe.

Your IdP verifies if they have a valid role assignment to your Stripe accounts or organization, and generates a SAML assertion used by Stripe to assign the proper roles in the Stripe Dashboard. When your account requires SSO, you must update team roles through your Identity Provider (IdP) for security. Changes to a team member’s roles only appear in Stripe after they sign in to the Dashboard again using the updated SAML assertion.

Set up SSO

To integrate your Stripe account with your IdP, you’ll need to complete three steps:

  1. Prove ownership of the domains that your team will use to sign in to the Dashboard.
  2. Configure OneLogin to work with Stripe.
  3. Configure Stripe to work with OneLogin.

Proving Domain Ownership

A domain is the portion of an email address after the @ symbol (such as kavholm.com). You must configure SSO for Stripe for each of your business’s email domains. To verify domain ownership:

  1. Navigate to User authentication in the Stripe Dashboard, and click + New domain to view your account’s unique verification code.
    stripe-verification=4242424242424242424242
  2. Add the verification code as a TXT record to your Domain Name System (DNS) provider.
  3. Return to the Stripe Dashboard, and click Save and verify. Depending on your DNS provider, it can take 24 hours or more to verify your domain.
  4. After successful verification, don’t delete the TXT record from your DNS provider. If you delete it, you might lose access to the Dashboard because Stripe frequently checks the DNS records of your domain.

Multiple Stripe accounts support

If you’re configuring SSO for multiple Stripe accounts, you must create an organization to centrally configure SSO across all of your accounts. Alternatively, contact Stripe support to verify your domain across separate accounts with one shared verification code.

Configuring OneLogin

Caution

There isn’t an official Stripe SAML connector in OneLogin yet. The only available Stripe app is for password-based authentication. Don’t use the password-based authentication for SAML.

  1. Create a new application to represent the relationship between OneLogin and the Stripe Dashboard. To do so, navigate to the Applications page, and select Add App.
  2. Find the SAML Test Connector (IdP w/ attr w/ sign response) app.
  1. Select Save, and navigate to the Configuration section. Then, enter the following values:
    • Audience: https://dashboard.stripe.com/saml/metadata
    • Recipient: https://dashboard.stripe.com/login/saml/consume
    • Consumer URL Validator: https://dashboard.stripe.com/login/saml/consume
    • Consumer URL: https://dashboard.stripe.com/login/saml/consume
  2. Select SSO on the side panel, and set the Signature Algorithm to SHA-256.
  3. Save your configuration changes by selecting Save.

Assign roles to your team

To authenticate a team member to Stripe and assign them roles, configure OneLogin to send the roles in the SAML assertions.

  1. Navigate to the Parameters section, and create a new Field
    • Set the Field name to Stripe-Role- . This identifies which account you sign in to.
    • Select Include in SAML assertion.
  2. In the next form, select the Dashboard role you want your users to have by default. Select Macro, and input the desired default role in the field below

Stripe supports the following roles. Some of these roles are only available if your account uses the applicable Stripe product. For more information, see User roles supported by Stripe.

RoleValue
Administratoradmin
Analystanalyst
Cardholdercardholder
Connect Onboarding Analystconnect_onboarding_analyst
Connect Risk Analystconnect_risk_analyst
Data Migration Specialistdata_migration_specialist
Developerdeveloper
Dispute Analystdispute_analyst
Financial Connections Specialistfinancial_connections_specialist
IAM Adminiam_admin
Identity Analystidentity_analyst
Identity View onlyidentity_view_only
Issuing Support Agentissuing_support_agent
Opal View onlyopal_view_only
Sandbox Administratorsandbox_admin
Sandbox Usersandbox_user
Super Administratorsuper_admin
Support Associatesupport_associate
Support Communicationssupport_communications
Support onlysupport_only
Support Specialistsupport_specialist
Refund Analystrefund_analyst
Tax Analysttax_analyst
Terminal Specialistterminal_specialist
Topups onlytopups_only
Top-up Specialisttopup_specialist
Transfer Analysttransfer_analyst
View onlyview_only

Support for multiple Stripe accounts

Repeat the previous step and add a parameter for each additional Stripe account. Select Add parameter, use the current account’s token for the Field name and choose the role you want your users to have by default.

The list of account tokens can be found in the Accounts section of your Profile.

  1. Navigate to the Users tab. Here, you can assign team members to your application. You can also configure which Roles a user obtains upon log in.
  2. Select the User you want to edit. Then, navigate to Applications on the side panel.
  3. In the next modal that opens, you can configure the roles that a user obtains when they log in. To use multiple roles, add a semicolon after each role. In the following example, the user obtains the analyst and the developer role when they sign in.

Configuring Stripe

Enter values from your identity provider

Next, configure your Stripe account to connect to your identity provider from the User authentication page.

To configure Stripe to connect to your identity provider you need:

  • Issuer ID: An identifier of your identity provider.
  • Identity provider URL: The URL of your identity provider that your team members are redirected to, so they can authenticate.
  • Identity provider certificate: The X.509 certificate that your identity provider signs assertions with.

How to find these values in your identity provider

In OneLogin, you can find these values by navigating to the SSO tab of your application.

Name of property in StripeName of property in OneLogin
Issuer IDIssuer URL
Identity provider URLSAML 2.0 Endpoint (HTTP)
Identity provider certificateX.509 certificate (click View Details)

Test your configuration

Before saving your settings, a test runs to validate your SSO integration. After you click the Test button, a window opens in your browser that redirects to your identity provider to sign in. After you sign in, the window automatically closes and test results display on the original page.

If the test succeeds, you can save the settings, and select an enforcement mode. If the test fails, modify your configuration to address the issues reported and test the integration again.

Select an enforcement mode for SSO

When using SSO, there are three separate enforcement modes that you can choose from. These affect which methods of authentication your team members can use.

ModeSSO authentication allowedRegular authentication allowed
OffNoYes
OptionalYesYes
RequiredYesNo

Authenticate with SSO

After you finish configuring SSO, you can inform your users to sign in with any of these methods:

Stripe’s sign in page

Users can navigate to the Stripe sign in page, enter their email, then select Use single sign-on (SSO).

If a user has access to multiple accounts, Stripe authenticates them with the default account connected to the user. If a user only has access to SAML merchants, or doesn’t have access to any merchants, Stripe redirects them to the IdP, regardless of the contents in the password field.

IdP-initiated login

To use IdP-initiated login, your IdP needs to support Service Provider-initiated login. Verify if this is possible using your IdP’s documentation.

SSO URL

Use the following login URL with your domain to directly sign in to your account with SSO. This URL includes the domain and account you want to use for SSO authentication. If you change the account token at the end of the URL, it authenticates you against a different account.

https://dashboard.stripe.com/login/saml_direct/domain/{{YOUR_DOMAIN}}/merchant/{{STRIPE_ACCOUNT_ID}}

Support for multiple Stripe accounts

If you’re configuring SSO for multiple Stripe accounts, first create an organization to centrally configure SSO across all of your accounts. You can change the account token at the end of the SSO URL to authenticate against another account. You can find the list of account tokens in the Accounts section of your Profile.

Multiple IdP connections: If you have multiple Stripe businesses with multiple IdP settings (for example, different SAML endpoints or issuer IDs) but share the same domain, we recommend using login URLs.

Revoke team member access

You can revoke a team member’s access using either active or passive methods.

Actively revoke access with an assertion

Send Stripe an assertion from your identity provider to grant a team member access to specific Stripe accounts. This also lets you revoke a team member’s access. To revoke access for a team member, assign them a role of none for the Stripe account’s access you want to revoke. For example:

<saml2:attribute name="Stripe-Role-STRIPE-ACCOUNT-ID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:attributevalue>none </saml2:attributevalue> </saml2:attribute>

Caution

You can’t revoke access for the owner of a Stripe account.

Passively revoke access with enforcement mode

When enforcement mode is set to required, only team members who can authenticate with your identity provider can access your Stripe account. In required mode, you can revoke a team member’s access to a Stripe account by preventing your identity provider from authenticating them. In the Stripe Dashboard, set SSO to required in User authentication.

Was this page helpful?
YesNo
Need help? Contact Support.
Join our early access program.
Check out our changelog.
Questions? Contact Sales.
LLM? Read llms.txt.
Powered by Markdoc