Integrate with Stripe

Support level: Community

What is Stripe

Stripe is a financial infrastructure platform that enables businesses to accept online and in-person payments, embed financial services, and build custom revenue models.

-- https://stripe.com

Preparation

The following placeholders are used in this guide:

• authentik.company is the FQDN of the authentik installation.

note

This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.

authentik configuration

To support the integration of Stripe with authentik, you need to create a group, a property mapping, and an application/provider pair in authentik.

Create a user group in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Directory > Groups and click Create.
3. Set a name for the group (e.g. Stripe Admins).
4. In the Attributes field enter: stripe_role: admin. Other account types are also supported, see the Stripe SSO Documentation
5. Click Create.
6. Then, click the name of the newly created group and navigate to the Users tab.
7. Click Add existing user, select the user that needs Wazuh admin access and click Add.

Create a property mapping in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.

2. Navigate to Customization > Property Mappings and click Create. Then, create a SAML Provider Property Mapping using the following settings:

   • Name: Stripe Role
   • SAML Attribute Name: Stripe-Role-acct-<stripe-account-id>
   • Friendly Name: Leave blank
   • Expression:

   return request.user.group_attributes().get("stripe_role", "")
   note

   To find your Stripe account ID, log in to your Stripe dashboard and navigate to Settings > Account > Account details. You'll find your account ID, which starts with acct_, displayed on the right-hand side.

Create an application and provider in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.

2. Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)

   • Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.

   • Choose a Provider type: select SAML Provider as the provider type.

   • Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.

     • Set the ACS URL to https://dashboard.stripe.com/login/saml/consume.
     • Set the Audience to https://dashboard.stripe.com/saml/metadata.
     • Set the Service Provider Binding to Post.
     • Under Advanced protocol settings:
       • Set an available signing certificate.
       • Add the previously created Stripe Role property mapping to Selected User Property Mappings.
       • Set NameID Property Mapping to authentik default SAML Mapping: Email.

   • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.

3. Click Submit to save the new application and provider.

Download certificate file

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Applications > Providers and click on the name of the provider that you created in the previous section (e.g. Provider for Stripe).
3. Under Related objects > Download signing certificate, click on Download. This downloaded file is your Certificate file and it will be required in the next section.

Stripe configuration

1. Log in to the Stripe administrator user authentication page as an administrator.

2. Click on the Settings cogwheel, and navigate to Team and security > Single sign-on (SSO).

3. Click Add domain, then input the domain that SSO users will use. For more information, see the Stripe Proving Domain Owenership documentation.

4. Once your domain is verified, click on the 3 dots next to the domain name, and click Manage SSO Settings.

5. Enter the following settings:

   • Identity Provider URL: https://auth.domain.com/application/saml/stripe/sso/binding/redirect/
   • Issuer ID: authentik
   • Identity Provider Certificate: Paste in the contents of your authentik signing certificate.

6. Click Continue.

7. Enter the email address of an authentik user designated for testing the SSO configuration and click Continue. Ensure that the user belongs to the appropriate authentik group. After logging in on authentik, you will be redirected back to Stripe.

8. If the test is successful, click Continue. Otherwise, verify your configuration and try again.

9. Choose the SSO Enforcement setting. Selecting Required mandates that users use authentik to log in, whereas Optional allows users to choose between authentik and the standard Stripe login.

10. Click Save.

Configuration verification

To verify that authentik is properly integrated with Stripe, first sign out of your account. Then, navigate to the Stripe dashboard login page and then click Sign in with SSO. Enter an email address that’s provisioned for SSO, and click Continue with SSO. You will then be redirected to authentik for authentication before being sent back to the Stripe dashboard.

Resources

• Stripe documentation - Single sign-on with a SAML provider