Cardholders may find other articles in the Ramp overview section to be more applicable.
Overview
Ramp supports single-sign-on (SSO) and Security Assertion Markup Language (SAML) authentication for users to login the application. We support Google SSO by default, and have integrations with all SAML providers including Okta, Microsoft, OneLogin, and JumpCloud.
Jump to:
- Google (SSO only)
- SAML authentication methods
- Configuring login controls
- Supporting multiple domains
- Managing the provider setup
Google (SSO only)
Ramp automatically enables Google SSO for your account. When Google SSO is enabled, any user who's invited to your account with a G Suite email address can use Google SSO to log into Ramp.
If you use Google Workspace (Google's SAML product), you can configure it in Ramp using the Custom identity provider option within the SAML authentication instructions below.
SAML authentication methods
Integrations with SAML providers can be set up under the Settings > Company settings, navigating to the Security tab, then clicking either Begin setup (or Add provider if you already have one set up) the Identity providers section.
From there, you will see options for SAML providers for which we have customized guides, as well as the Custom identity provider option where we support integrations for any other provider not listed.
Each setup flow comes with customized step-by-step guides, which you can separately view below:
- Microsoft Entra ID Help Center article
- Okta SSO Help Center article
- OneLogin in-app guide (requires authentication into the Ramp app)
- JumpCloud in-app guide (requires authentication into the Ramp app)
Note: When you set up a SAML authentication method, only users in your IDP will be able to log into Ramp using the SAML method.
Custom identity providers
For any provider not listed (e.g. Google SAML), you can follow the step-by-step instructions in the Ramp setup flow after clicking Custom identity provider. Note that there will be instructions for tasks to complete in the SAML app in addition to Ramp.
Note: For some SAML providers such as Google Workspace, you will need to self-host the metadata file during the initial setup in order to provide a URL in the setup flow. Once the integration is properly set up, it is no longer needed.
Configuring login controls
You can enable and disable login methods for your employees based on their user roles by clicking Login methods. We strongly recommend requiring SSO for all user types except for Guest users. Guest users will always be allowed to log in with email and password; you can enable other methods for Guests, but password login cannot be disabled.
Once you have enabled multiple login options, you can remove Password by clicking the x to the righthand side of the pill. Note that every user role must have at least one login method enabled. In the below example, Cardholders and Bookkeepers can only log in with Okta SSO, while IT admins, Admins, Owners, and Guests have the additional option of Password.
Supporting multiple domains
During the SAML setup flow and post-setup (see below), admins can specify the domains for which they want the SAML provider to be enabled for. Note that multiple domains are allowed per provider, so long as:
- A user from that email domain has an active Ramp account
- That domain is not in use by another SAML provider
Managing the provider setup
Once the identity provider is integrated admins can view the Metadata URL and configuration settings (see above).
Note: admins cannot delete the identity provider if they are the sole login method for any non-guest user!