Setting up single sign-on (SSO) and login controls in Ramp

Note: This article is for Ramp Administrators and IT Admins. Cardholders and other users may find the Getting started section more applicable.

Overview

Single sign-on (SSO) lets your team sign in to Ramp using their existing company credentials instead of a separate password. Ramp supports Google SSO and SAML-based authentication with providers like Okta, Microsoft Entra ID, JumpCloud, and OneLogin.

This article covers how to set up SSO, configure SAML identity providers, and manage which sign-in methods are available to each user role. All of these settings are managed from Settings > Company settings > Security.

Google SSO

Google SSO is available by default for users whose email addresses are on a Google Workspace domain. No setup is required — users with eligible email addresses can select Sign in with Google on the Ramp sign-in page.

Admins can disable Google SSO for specific roles through sign-in controls, as long as at least one other sign-in method remains enabled for that role.

Google Workspace SAML

Google SSO (the default sign-in option) is separate from Google Workspace SAML. If your organization uses Google Workspace as a SAML identity provider, configure it using the Custom identity provider option in the SAML setup flow — not the Google SSO toggle.

SAML SSO

SAML (Security Assertion Markup Language) authentication lets you connect Ramp to your organization's identity provider. Once configured, users authenticate through your IdP and are signed into Ramp automatically.

Setting up a SAML provider

To begin SAML setup:

  1. Go to Settings > Company settings > Security .
  2. In the Identity providers section, select Begin setup (or Add provider if you already have a provider configured).

Identity providers section in Ramp security settings showing the Begin setup button

You will be prompted to choose a provider. Ramp offers guided setup flows for the following providers:

SAML provider selection screen showing Okta, Microsoft Entra ID, JumpCloud, OneLogin, and Custom identity provider options

Each provider has a step-by-step wizard that walks you through configuration in both Ramp and your identity provider.

Note: Only users who exist in your identity provider will be able to sign in to Ramp using SAML.

Custom identity providers

For any SAML provider not listed above — including Google Workspace SAML — select Custom identity provider and follow the in-app instructions. The setup flow will guide you through the configuration steps needed in both Ramp and your identity provider.

Note: Some providers, such as Google Workspace, require you to host the metadata file yourself during initial setup to provide a metadata URL. Once the integration is configured, self-hosting is no longer needed.

Supporting multiple domains

During SAML setup (and after), you can specify which email domains should use the SAML provider. You can assign multiple domains to a single provider, as long as:

  1. A user with that email domain has an active Ramp account.
  2. The domain is not already assigned to another SAML provider. In the standard setup, each domain can only be associated with one provider. If you need to share one domain across multiple Ramp businesses, see Sharing an SSO domain across multiple Ramp businesses .

Domain configuration screen showing assigned email domains for a SAML provider

Managing an existing provider

After a SAML provider is configured, admins can view and update the metadata URL and configuration settings from the Identity providers section.

To remove a SAML provider, all roles must have at least one other sign-in method enabled. You cannot delete a provider if it is the sole sign-in method for any role. If you need to remove it, first enable an alternative method (such as Password or Google SSO) for all affected roles through sign-in controls.

Sign-in controls

Sign-in controls let you specify which authentication methods are available to each user role. You can manage these settings from Settings > Company settings > Security, then select Configure under Account access.

Setting sign-in methods by role

In the sign-in methods drawer, you can enable or disable Password, Google SSO, and SAML for each user role using the multi-select dropdown.

Sign-in methods role configuration showing available authentication methods per user role

We strongly recommend requiring SSO for all roles except Guest users. To remove a sign-in method from a role, select the x next to the method. Every role must have at least one sign-in method enabled — Ramp enforces this automatically.

In the example above, Cardholders and Accounting roles can only sign in with Okta SSO, while IT Admins, Admins, Owners, and Guests have Password as an additional option.

Guest user password requirement

Guest users must always have password sign-in enabled. Because Guest users are external to your organization and may not have access to your SSO provider, Ramp enforces password authentication for this role. You can enable additional methods for Guests, but you cannot remove password.

Exception list for individual users

Some users may need password access even if their role is configured for SSO only — for example, external contractors or executives who need a fallback sign-in method.

To manage exceptions, open the Exceptions tab in the sign-in methods drawer. From there, you can add individual users who should retain password sign-in regardless of their role's settings.

Exception list interface for adding individual users who retain password sign-in access

Passkeys and sign-in controls

Passkeys are not configurable per role. Passkey availability is tied to whether password sign-in is enabled — if a role has password sign-in, passkeys are available as an additional sign-in option. For more details, see Signing in with Passkeys.

Frequently asked questions

Can I have multiple SAML providers?

Yes. Ramp supports multiple SAML providers, with each provider assigned to one or more email domains. In the standard setup, each domain can only be associated with one provider. If your organization needs to share one domain across multiple Ramp businesses, see Sharing an SSO domain across multiple Ramp businesses.

Does Ramp support IdP-initiated SAML?

No. Ramp supports only SP-initiated (service-provider-initiated) SAML, where the sign-in flow starts from the Ramp sign-in page. If your identity provider has a Ramp tile or bookmark, it should be configured to redirect to Ramp's sign-in URL, which then initiates the SAML flow. For more details, see SAML IdP-initiated sign-ins.

Can I require passkeys for specific roles?

Not directly. Passkeys are available as a sign-in option whenever password sign-in is enabled for a role. There is no separate toggle to require or restrict passkeys independently. See Signing in with Passkeys for more information.

What happens if I try to delete my SAML provider?

If any role relies on SAML as its only sign-in method, Ramp will block the deletion. You will need to enable an alternative sign-in method for all affected roles before you can remove the provider. Go to sign-in controls to update role settings first.

What if an employee's email domain does not match the SAML provider?

If a user tries to sign in with SAML but their email domain is not associated with any configured SAML provider, they may be blocked from signing in. Contact your IT administrator to verify that the user's domain is assigned to the correct provider, or add the domain to an existing SAML configuration.

A new user is getting an error when accepting their invite with SAML SSO. What should I check?

When a user accepts an invite and your organization uses SAML authentication, several things must align:

Common errors include:

For step-by-step help with accepting an invite and signing in, see Signing in to Ramp for the first time.

I am having trouble signing in. Where can I get help?

For sign-in and MFA issues, see Troubleshooting Ramp sign-in and MFA issues. If you need to reach Ramp directly, see How to contact Ramp's Support team.