Single sign-on with OneLogin

A domain is the portion of an email address after the @ symbol (such as kavholm.com). You must configure SSO for Stripe for each of your business’s email domains. To verify domain ownership:

1. Go to Single sign-on (SSO) in the Stripe Dashboard, and click + New domain to view your account’s unique verification code.
       stripe-verification=4242424242424242424242
   

2. Add the verification code as a TXT record to your Domain Name System (DNS) provider.
3. Return to the Stripe Dashboard, and click Save and verify. Depending on your DNS provider, it can take 24 hours or more to verify your domain.
4. After successful verification, don’t delete the TXT record from your DNS provider. If you delete it, you might lose access to the Dashboard because Stripe frequently checks the DNS records of your domain.

1. Create a new application to represent the relationship between OneLogin and the Stripe Dashboard. To do so, go to the Applications page, and select Add App.
2. Find the SAML Test Connector (IdP w/ attr w/ sign response) app.

1. Select Save, and go to the Configuration section. Then, enter the following values:
   • Audience: https://dashboard.stripe.com/saml/metadata
   • Recipient: https://dashboard.stripe.com/login/saml/consume
   • Consumer URL Validator: https://dashboard.stripe.com/login/saml/consume
   • Consumer URL: https://dashboard.stripe.com/login/saml/consume
2. Select SSO on the side panel, and set the Signature Algorithm to SHA-256.
3. Save your configuration changes by selecting Save.

Assign roles to your team

To authenticate a team member to Stripe and assign them roles, configure OneLogin to send the roles in the SAML assertions.

1. Go to the Parameters section, and create a new Field
   • Set the Field name to Stripe-Role- . This identifies which account you sign in to.
   • Select Include in SAML assertion.
2. In the next form, select the Dashboard role you want your users to have by default. Select Macro, and input the desired default role in the field below

Stripe prend en charge les rôles suivants. Certains rôles ne sont disponibles que si votre compte utilise le produit Stripe applicable. Pour en savoir plus, consultez la rubrique Rôles utilisateur pris en charge par Stripe.

Support for multiple Stripe accounts

Repeat the previous step and add a parameter for each additional Stripe account. Select Add parameter, use the current account’s token for the Field name and choose the role you want your users to have by default.

The list of account tokens can be found in the Accounts section of your Personal details settings.

1. Go to the Users tab. Here, you can assign team members to your application. You can also configure which Roles a user obtains upon log in.
2. Select the User you want to edit. Then, go to Applications on the side panel.
3. In the next modal that opens, you can configure the roles that a user obtains when they log in. To use multiple roles, add a semicolon after each role. In the following example, the user obtains the analyst and the developer role when they sign in.

Enter values from your identity provider

Next, configure your Stripe account to connect to your identity provider from the User authentication page.

To configure Stripe to connect to your identity provider you need:

• Issuer ID: An identifier of your identity provider.
• Identity provider URL: The URL of your identity provider that your team members are redirected to, so they can authenticate.
• Identity provider certificate: The X.509 certificate that your identity provider signs assertions with.

How to find these values in your identity provider

In OneLogin, you can find these values by navigating to the SSO tab of your application.

Test your configuration

Before saving your settings, a test runs to validate your SSO integration. After you click the Test button, a window opens in your browser that redirects to your identity provider to sign in. After you sign in, the window automatically closes and test results display on the original page.

If the test succeeds, you can save the settings, and select an enforcement mode. If the test fails, modify your configuration to address the issues reported and test the integration again.

Select an enforcement mode for SSO

When using SSO, there are three separate enforcement modes that you can choose from. These affect which methods of authentication your team members can use.

Une fois que vous avez terminé de configurer l’authentification unique, vous pouvez demander à vos utilisateurs de se connecter avec l’une des méthodes suivantes :

Stripe’s sign in page

Users can go to the Stripe sign in page, enter their email, then select Use single sign-on (SSO).

Si un utilisateur a accès à plusieurs comptes, Stripe l’authentifie avec le compte par défaut associé à l’utilisateur. Si un utilisateur n’a accès qu’aux marchands SAML ou n’a accès à aucun marchand, Stripe le redirige vers le fournisseur d’identité, quel que soit le contenu du champ de mot de passe.

IdP-initiated login

Pour utiliser la connexion effectuée par le fournisseur d’identité, votre fournisseur d’identité doit prendre en charge la connexion lancée par le prestataire de services. Vérifiez si cela est possible à l’aide de la documentation de votre fournisseur d’identité.

SSO URL

Use the following login URL with your domain to directly sign in to your account with SSO. This URL includes the domain and account you want to use for SSO authentication. If you change the account token at the end of the URL, it authenticates you against a different account.

https://dashboard.stripe.com/login/saml_direct/domain/{{YOUR_DOMAIN}}/merchant/{{STRIPE_ACCOUNT_ID}}