Setting Up Stripe SSO with Auth0 (SAML) — Complete Guide (Account-Level)
Stephen NdegwaThis guide walks through configuring Stripe Single Sign-On (SSO) using Auth0 as the SAML Identity Provider, including role injection, which is the most common failure point.
It covers:
- Auth0 SAML configuration
- Stripe SSO configuration
- Adding Stripe roles using Auth0 Actions
- Troubleshooting with real SAML output
Architecture Overview
- Service Provider (SP): Stripe Dashboard
- Identity Provider (IdP): Auth0
- Protocol: SAML 2.0
- Scope: Single Stripe account (not Organization)
Stripe authenticates users via Auth0 and requires SAML role attributes to grant access.
Prerequisites
- Stripe account admin access
- Auth0 tenant admin access
- Verified email domain in Stripe
- User email domain matches verified domain
- Auth0 Application created for Stripe
Step 1: Verify Domain in Stripe
- Stripe Dashboard → Settings → Team and security → Single sign-on
- Add your email domain (e.g.
example.com) - Add the TXT record Stripe provides to your DNS
- Wait for verification to complete
Stripe will not allow SSO until the domain is verified.
Step 2: Create Auth0 Application for Stripe
- Auth0 Dashboard → Applications → Create Application
- Type: Regular Web Application
- Name:
Stripe SSO - Save
Step 3: Enable SAML2 Web App Addon (Auth0)
- Go to your Auth0 Application
- Open Addons
- Enable SAML2 Web App
- Set Application Callback URL:
https://dashboard.stripe.com/login/saml/consume
Step 4: Configure SAML Settings (DO NOT add roles here)
Paste this exact JSON into the SAML2 Web App → Settings field:
{
"audience": "https://dashboard.stripe.com/saml/metadata",
"recipient": "https://dashboard.stripe.com/login/saml/consume",
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
},
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"destination": "https://dashboard.stripe.com/login/saml/consume",
"signResponse": false,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}
Important
- Do NOT attempt to add Stripe roles here
- This section configures protocol behavior only
Step 5: Configure Stripe to Trust Auth0
In Auth0:
- Open SAML2 Web App → Usage tab
- Copy:
- Issuer
- Identity Provider Login URL
- Certificate
In Stripe:
- Stripe Dashboard → Settings → SSO
- Select your verified domain
- Paste:
- Issuer ID ← Auth0 Issuer
- Identity provider URL ← Auth0 Login URL
- Identity provider certificate ← Auth0 Certificate
- Save
Step 6: Add Stripe Roles Using Auth0 Actions (CRITICAL)
Stripe will reject login unless the SAML assertion contains a role attribute.
Required Attribute Format (Account-Level)
Stripe-Role-acct_1234567890abcdef
Example:
Stripe-Role-acct_1234567890abcdef
Valid role values:
admindeveloperanalystview_only
Step 6.1: Create Auth0 Action
- Auth0 Dashboard → Actions → Library
- Click Build Custom
- Trigger: Login / Post Login
- Name:
Add Stripe Role to SAML
Step 6.2: Action Code (Recommended)
exports.onExecutePostLogin = async (event, api) => {
const acctId = "acct_1234567890abcdef";
// Role stored in app_metadata
const role = event.user.app_metadata?.stripe_roles?.[acctId];
if (!role) {
// Optional during testing
// api.access.deny("Missing Stripe role");
return;
}
api.samlResponse.setAttribute(`Stripe-Role-${acctId}`, role);
};
Step 6.3: Attach Action to Login Flow
- Auth0 Dashboard → Actions → Flows → Login
- Drag your Action between Login and Token Issuance
- Click Apply
Step 7: Assign Stripe Role to User
Edit the Auth0 user and add app_metadata:
{
"stripe_roles": {
"acct_1234567890abcdef": "admin"
}
}
Step 8: Test SSO in Stripe
- Go to Stripe → SSO Settings
- Click Test SSO
- Authenticate via Auth0
Expected Stripe Test Results
✅ Validate SAML request has not expired
✅ Receive valid SAML response
✅ Validate issuer ID
✅ Validate identity provider URL
✅ Validate identity provider certificate
✅ Verify user access to domain
✅ Receive role assertion in SAML response
✅ Validate role assignments
Step 9: Verify the SAML Assertion
Your SAML response must include:
<saml:Attribute Name="Stripe-Role-acct_1234567890abcdef">
<saml:AttributeValue>admin</saml:AttributeValue>
</saml:Attribute>
If this is missing, Stripe login will fail.
Common Errors & Fixes
❌ “Receive role assertion in SAML response”
Cause: Role attribute missing
Fix: Ensure Auth0 Action runs and role exists in app_metadata
❌ Action runs but attribute missing
Causes
- Action not applied to Login Flow
- Wrong Auth0 application
- Testing non-SAML app
❌ api.samlResponse undefined
Cause: Not using SAML2 Web App addon
Fix: Ensure Stripe points to the SAML-enabled Auth0 app
Enforcement Options in Stripe
Once working:
- Optional – Password or SSO
- Required – SSO only (recommended for production)
Final Checklist
✔ Domain verified in Stripe
✔ Auth0 SAML addon configured
✔ Stripe trusts Auth0 IdP
✔ Auth0 Action injects Stripe-Role-acct_*
✔ User has role in app_metadata
✔ Stripe Test SSO passes fully
Conclusion
Stripe SSO with Auth0 fails silently without role attributes.
The single most important step is injecting the correct Stripe-Role-acct_<id> attribute using Auth0 Actions.
Once roles are present, Stripe SSO is stable, secure, and production-ready.
Related Guides
Automating JNLP Downloads with PowerShell Using Session Cookies
When managing remote servers or BMC interfaces, some resources such as JNLP (Java Network Launch Protocol) files require authentication via cookies and session handling. Manually downloading these files can be cumbersome. PowerShell provides a way to automate this process using web sessions and cookie management. Creating a Persistent Web Session A web session in PowerShell […]
Complete Guide to Downloading Files with PowerShell
Introduction PowerShell provides powerful tools for downloading files from web servers, with Invoke-WebRequest being the primary cmdlet for making HTTP requests. This guide covers everything from basic downloads to advanced scenarios involving authentication, cookies, and custom headers. Basic File Downloads Simple Download The most straightforward way to download a file: Download with Progress Bar PowerShell […]
The Complete Guide to Installing StorCLI on Linux and Windows
StorCLI (Storage Command Line Tool) is Broadcom’s powerful command-line utility for managing LSI MegaRAID and PRAID controllers. Whether you’re managing hardware RAID arrays on servers or workstations, StorCLI provides comprehensive control over your storage infrastructure. This guide will walk you through the complete installation process on both Linux and Windows systems. What is StorCLI? StorCLI […]