Integrate with Stripe
Support level: Community
What is Stripe?
Stripe is a financial infrastructure platform that enables businesses to accept online and in-person payments, embed financial services, and build custom revenue models.
Preparation
The following placeholders are used in this guide:
authentik.companyis the FQDN of the authentik installation.example.comis the email domain that you verify for Stripe SSO.stripe_account_idis the Stripe account ID to configure, such asacct_....
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
Stripe requires a verified email domain before SSO can be enabled.
authentik configuration
To support the integration of Stripe with authentik, create a group, a property mapping, and an application/provider pair in authentik.
Create a user group
Use a group attribute to define the Stripe role that authentik sends for each user.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Directory > Groups and click Create.
-
Set a descriptive group name, such as
Stripe Admins. -
In the Attributes field, set the Stripe role for members of this group:
stripe_role: adminUse the Stripe role value that members of this group should receive, such as
admin,developer, orview_only. Stripe lists the available role values in their SSO documentation. -
Click Create.
-
Click the name of the newly created group and navigate to the Users tab.
-
Click Add existing user, select the user that needs Stripe access, and click Add.
Create a property mapping
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Customization > Property Mappings and click Create.
-
Select SAML Provider Property Mapping and click Next.
-
Configure the property mapping with the following settings:
-
Name:
Stripe Role -
SAML Attribute Name:
Stripe-Role-<stripe_account_id> -
Friendly Name: leave blank.
-
Expression:
return request.user.group_attributes(request).get("stripe_role", "")
-
-
Click Finish to save the property mapping.
For organization-level SSO, use Stripe-Role-<stripe_organization_id> as the SAML attribute name instead of Stripe-Role-<stripe_account_id>.
Create an application and provider pair
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to create an application and provider pair.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the Slug value because it is required later.
- Under UI Settings, set Launch URL to
https://dashboard.stripe.com/login/saml_direct/domain/example.com/merchant/<stripe_account_id>.
- Under UI Settings, set Launch URL to
- Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the ACS URL to
https://dashboard.stripe.com/login/saml/consume. - Set the Audience to
https://dashboard.stripe.com/saml/metadata. - Under Advanced protocol settings:
- Select an available Signing Certificate.
- Set NameID Property Mapping to
authentik default SAML Mapping: Email. - Add the
Stripe Roleproperty mapping to Selected User Property Mappings.
- Set the ACS URL to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the Slug value because it is required later.
-
Click Submit to save the new application and provider.
Download the signing certificate
- Navigate to Applications > Providers and click the name of the SAML provider that you created.
- Under Related objects > Download signing certificate, click Download. This certificate file is required in the next section.
Stripe configuration
This guide expects that you have already verified example.com for SSO in Stripe.
- Log in to the Stripe Dashboard as an administrator.
- Click the Settings cogwheel, then navigate to Team and security > Single sign-on (SSO).
- Open the SSO settings for your verified domain.
- Enter the following settings:
- Identity provider URL:
https://authentik.company/application/saml/<application_slug>/ - Issuer ID:
https://authentik.company/application/saml/<application_slug>/metadata/ - Identity provider certificate: paste the contents of the authentik signing certificate.
- Identity provider URL:
- Click Test and complete the SSO test with a Stripe user whose email address belongs to the verified domain and who has the required Stripe role attribute from authentik.
- If the test succeeds, save the settings and choose the appropriate SSO enforcement mode.
Do not require SSO until the users who need Stripe access are assigned to the Stripe application in authentik and receive a valid Stripe role attribute. If users do not receive a valid role attribute, Stripe rejects the login.
Configuration verification
To confirm that authentik is properly configured with Stripe, open the Stripe application from the authentik Application Dashboard. You should be redirected to authentik for authentication and then to the Stripe Dashboard.