SSO/SAML
Last updated
Last updated
SSO/SAML support is available for Enterprise teams. Note that this functionality first needs to be enabled for your organization by the Runway team. Get in touch if needed, and we'll get this set up.
Runway uses WorkOS to provide SSO/SAML capabilities to our teams, for a wide range of identity providers.
Setup and configuration are simple, and can be performed following the steps below.
The Runway user executing these steps must have the IT Admin role, which needs to be assigned by the Runway team. Let us know the email address of the person in your organization who will be completing SSO/SAML setup and we’ll assign the role.
Sign into Runway using existing email/password credentials for an account that has the IT Admin role
Navigate to your organization’s settings by clicking on your organization avatar in the main navigation bar:
On the organization settings page, navigate to the SSO/SAML tab. You’ll see an SSO module at the top that shows your current SSO connection status, and a button that redirects to the SSO admin portal. The status will read Not Connected until your IT admin has configured the SSO integration.
Click on the SSO admin portal button and follow the instructions in the WorkOS setup flow to configure your SSO connection.
Once you’ve completed the SSO connection setup process, you will be redirected back to Runway, where your SSO connection status should now show as Active.
Signing into Runway with email and password will be disabled by default once SSO/SAML is enabled. If you’d still like to allow email and password sign in alongside SSO/SAML as an option, let us know and we’ll enable it.
Directory Sync allows your organization to manage Runway users, roles and (optionally) app membership from your company's central user directory. By enabling Directory Sync, your Runway organization can be automatically kept in sync with your company directory so it can be the source of truth for Runway users and their access levels. Directory Sync can only be configured by a Runway user with the IT Admin permission.
In the Organization settings page, navigate to the SSO/SAML tab. You’ll see a module labeled Directory Sync with an initial status of Inactive.
Click the button labeled Directory Sync admin portal. You’ll be redirected to an admin portal hosted by Runway’s SSO/SAML provider, WorkOS. Follow the instructions in the Directory Sync setup flow to configure the Directory Sync connection.
You will then be redirected back to Runway, where the Directory Sync status should read Connected.
If groups have been created in your identity provider, you’ll see them populated under the Groups to Runway user roles table.
Configure the mapping of Groups to Runway user roles for each group to automatically have Runway roles assigned to users that belong to each group.
Once setup is complete, Runway will automatically sync Runway user roles based on each user's configured groups. Additionally, users will be automatically provisioned and deprovisioned in Runway as needed using your directory provider as the source of truth.
Once Directory Sync has been successfully connected, managing Runway user roles from the Runway dashboard will be disabled – your directory provider should be the source of truth for Runway user roles going forward. Removing users from your Runway organization will also be disabled – removing users should be done from your directory provider, which will automatically propagate to Runway.
By default, all new users added to Runway are automatically added as members to all apps in your Runway organization. With Directory Sync, you can optionally choose to leverage your directory provider to manage which apps in Runway new users are added to.
In your directory provider, add a custom attribute to your user model to represent the apps in Runway the user should be a member of (we recommend an attribute named runway_apps
). The field should be an array of strings. Runway will use this field to assign users to the correct apps in Runway.
For each User in your directory, populate the runway_apps
field with correct app IDs – note that the app IDs populated in the runway_apps
field must match one of the app IDs for your organization’s apps in Runway. You can find each app’s app ID under App settings > General > App identifier for each app in Runway.
Alternatively, you can set up a rule at the Group level to populate the runway_apps
field for each user that belongs to the group.
Head to the Directory Sync admin portal in Work OS by navigating to Organization settings > SSO/SAML > Directory Sync admin portal. In the section titled Attribute Mapping, fill in the name of your custom attribute in the Directory Provider Value field.
Once configured, Runway will read from your custom attribute to populate the runway_apps
field in Runway and sync the user's app membership to match what's defined in your directory provider.
If therunway_apps
field is detected on any user, the setting to Add new users to all apps (found in Organization Settings > Team) will be automatically disabled – your directory provider will be considered the source of truth for app membership going forward.