Single sign-on with Auth0

A domain is the portion of an email address after the @ symbol (such as kavholm.com). You must configure SSO for Stripe for each of your business’s email domains. To verify domain ownership:

1. Navigate to Single sign-on (SSO) in the Stripe Dashboard, and click + New domain to view your account’s unique verification code.
       stripe-verification=4242424242424242424242
   

2. Add the verification code as a TXT record to your Domain Name System (DNS) provider.
3. Return to the Stripe Dashboard, and click Save and verify. Depending on your DNS provider, it can take 24 hours or more to verify your domain.
4. After successful verification, don’t delete the TXT record from your DNS provider. If you delete it, you might lose access to the Dashboard because Stripe frequently checks the DNS records of your domain.

Follow these steps to create an application.

1. Create a new application to represent the relationship between Auth0 and the Stripe Dashboard. To do this, navigate to your Auth0 dashboard and click Create Application.

1. Set the Name field and then select Regular Web Applications. Select Create to make your Auth0 application for Stripe authentication.

1. Navigate to the Addons tab and select SAML2 web app.

• In the window that opens, set https://dashboard.stripe.com/login/saml/consume as the Application Callback URL.
• Replace the contents of the Settings box with the following JSON information and then select Enable.

{
  "audience": "https://dashboard.stripe.com/saml/metadata",
  "recipient": "https://dashboard.stripe.com/login/saml/consume",
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  },
  "signatureAlgorithm": "rsa-sha256",
  "digestAlgorithm": "sha256",
  "destination": "https://dashboard.stripe.com/login/saml/consume",
  "signResponse": false,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

Assign roles to your team

The following setup is an example of how to set up dynamic roles. As long as the SAML Response contains the appropriate fields, Stripe grants the corresponding roles in the Stripe Dashboard. See Auth0’s documentation for more information on dynamic roles.

1. In the Auth Pipeline section, navigate to the Rules section, and then select Create Rule.

1. Choose the empty rule template, at the beginning of the page.

1. Set your rule name (for example, “SAML attribute mapping”) and then paste the following JavaScript code in the online editor. Then, click Save.

This script configures the Stripe roles you want to support in the Stripe Dashboard per Stripe account. You must include your team members’ roles as an attribute statement in any assertion that you send to Stripe. You can dynamically assign your team members different sets of roles per Stripe account. In the snippet example provided, Stripe assigns a newly signed-in user the default role view_only. If a user’s assertion doesn’t contain any role attribute statements, that user can’t log in through their identity provider.

function (user, context, callback) {
  // If there's no user app_metadata, create it.
  if (typeof (user.app_metadata) === 'undefined') {
    user.app_metadata = {};
  }

  // If the user doesn't have roles for the account, add a default value.
  if (typeof (user.app_metadata.) === 'undefined') {
    user.app_metadata. = ['view_only'];
  }

  // Add a mapping from app_metadata to the required SAML attribute.
  context.samlConfiguration.mappings = {
    "Stripe-Role-": "app_metadata."
  };

  callback(null, user, context);
}

1. Navigate to the Users tab, where you can assign team member roles for your application.

You can also override the Stripe Dashboard roles for your team members by updating the app_metadata field on Auth0. Set the metadata value to the roles for your team members. Add entries for each Stripe account that needs access.

Stripe supports the following roles. Some of these roles are only available if your account uses the applicable Stripe product. For more information, see User roles supported by Stripe.

Multiple Stripe accounts

If you have team members with multiple Stripe accounts, update the JavaScript rule to handle several accounts.

function (user, context, callback) {
  // If there's no user app_metadata, create it.
  if (typeof (user.app_metadata) === 'undefined') {
    user.app_metadata = {};
  }

  // If the user doesn't have roles for the accounts, add a default value.
  if (typeof (user.app_metadata.acct_1234}) === 'undefined') {
    user.app_metadata.acct_1234} = ['view_only'];
  }
  if (typeof (user.app_metadata.acct_5678}) === 'undefined') {
    user.app_metadata.acct_5678} = ['view_only'];
  }

  // Add a mapping from app_metadata to the required SAML attribute.
  context.samlConfiguration.mappings = {
    "Stripe-Role-acct_1234": "app_metadata.acct_1234"
    "Stripe-Role-acct_5678": "app_metadata.acct_5678"
  };

  callback(null, user, context);
}

In the user profiles, add one entry per account in the app_metadata field.

The following example shows user app metadata that is associated with two Stripe accounts. The team member has the both analyst and developer roles for the first account, and the role view_only for the second account.

{
  "acct_1234": [
    "analyst",
    "developer"
  ],
  "acct_5678": [
    "view_only",
  ]
}

You can find the list of account tokens in the Accounts section of your Personal details settings.

Configure your Stripe account to connect to your identity provider from the User authentication page.

To configure Stripe to connect to your identity provider you need:

• Issuer ID: An identifier of your identity provider.
• Identity provider URL: The URL of your identity provider that your team members are redirected to, so they can authenticate.
• Identity provider certificate: The X.509 certificate that your identity provider uses to signs assertions.

Find these values in your identity provider

In Auth0, navigate to the settings in the Applications menu. Select your application name, then navigate to the Addons tab, select the SAML2 button, then select the Usage tab.

Test your configuration

Before saving your settings, a test runs to validate your SSO integration. After you click the Test button, a window opens in your browser that redirects to your identity provider to sign in. After you sign in, the window automatically closes and test results display on the original page.

If the test succeeds, you can save the settings, and select an enforcement mode. If the test fails, modify your configuration to address the issues reported and test the integration again.

Select an enforcement mode for SSO

When using SSO, there are three separate enforcement modes that you can choose from. These affect which methods of authentication your team members can use.

After you finish configuring SSO, you can inform your users to sign in with any of these methods:

Stripe’s sign in page

Users can navigate to the Stripe sign in page, enter their email, then select Use single sign-on (SSO).

If a user has access to multiple accounts, Stripe authenticates them with the default account connected to the user. If a user only has access to SAML merchants, or doesn’t have access to any merchants, Stripe redirects them to the IdP, regardless of the contents in the password field.

IdP-initiated login

To use IdP-initiated login, your IdP needs to support Service Provider-initiated login. Verify if this is possible using your IdP’s documentation.

SSO URL

Use the following login URL with your domain to directly sign in to your account with SSO. This URL includes the domain and account you want to use for SSO authentication. If you change the account token at the end of the URL, it authenticates you against a different account.

https://dashboard.stripe.com/login/saml_direct/domain/{{YOUR_DOMAIN}}/merchant/{{STRIPE_ACCOUNT_ID}}