Cardholders may find other articles in the Ramp overview section to be more applicable.
Overview
Ramp supports single-sign-on (SSO) and Security Assertion Markup Language (SAML) authentication for users to login the application. We support several providers: Okta, Microsoft, OneLogin, JumpCloud, and Google (SSO only).
Jump to:
- Overview
- SAML authentication methods
- Google (SSO only)
- Configuring login controls
- Customize authentication methods
- Sept 2024 update
SAML authentication methods
Setup instructions for each SAML provider can be found in the Company Settings > Security tab. Click on the provider below to view the setup guides:
When you set up a SAML authentication method, only users in your IDP will be able to log into Ramp using the SAML method.
Additionally, when a SAML method is configured, we will automatically disable password authentication for all users except Guest users. See Configuring login controls below for more information on enabling/disabling login methods for each user type.
Google (SSO only)
Ramp automatically enables Google SSO for your account. When Google SSO is enabled, any user who's invited to your account with a G Suite email address can use Google SSO to log into Ramp.
Configuring login controls
You can enable and disable login methods for your employees based on their user roles. We strongly recommend requiring SSO for all user types except for Guest users. Guest users will always be allowed to log in with email and password; you can enable other methods for Guests, but password login cannot be disabled.
Customize authentication methods
Every user role must have at least one login method enabled. When your users log in to Ramp, they will only be shown the approved methods for their role type. In other words, in the screenshot below, Cardholders can log in with Google SSO or Okta SSO, so when Cardholders log into Ramp, they will only be prompted with those options to log in. Admins can only log in using Okta SSO, and will only be prompted with Okta to log in.
You can configure these by clicking on the authentication method and toggling user roles on or off. (See required SSO below)
To require SSO:
- Go to: Settings > Security
- Under Account access > Ramp credentials, click on "Password"
- From "Password authentication settings," disable passwords for all user roles (see screenshot below)
- Click "Save Changes"
- Password authentication will be disabled for all employees and your Ramp account is more secure!
Sept 2024 update
Starting in September 2024, admins will begin seeing an updated SAML configuration flow.
As part of this update, admins will be able to set up SAML integrations with any partner, not just the ones with a preset guide.
Configuring SAML will no longer disable password by default for all non-guest users. Admins can customize login method by user role.
Additionally, once the identity provider is integrated admins can view the Metadata URL and configuration settings. Note: admins cannot delete the identity provider if they are the sole login method for any non-guest user!