Introduction
Enterprise organizations can enable single sign-on (SSO) to allow users to log in using their native company credentials and authentication methods.
If you’re exploring an SSO integration for your organization, please see the Enterprise SSO FAQ article to learn more about commonly asked questions.
This guide walks through configuring the OIDC-based SSO implementation with Runway.
Step 1 — Creating the OIDC integration with your IDP
Follow the steps below to create a new OIDC integration with your IDP:
If your organization is not using Okta or Azure, you will follow similar steps using the details provided on this page. Please reach out to support with any questions.
Use the following settings to create the integration:
| Setting | Value |
| Sign-on method | OIDC |
| App type | Web application |
| Redirect URL | https://app.runwayml.com/sso-redirect |
| Initiate Login URL | https://app.runwayml.com/sso |
| Grant type | Authorization code |
| Scopes |
openid and email (If your IDP has an option to return users' email addresses to the Runway client application, be sure to enable it) |
Completing the integration setup provides the credentials needed to configure SSO with Runway. Save these details securely in a credential manager, as you'll need them when configuring on Runway:
- Client ID
- Client secret
- Issuer
Important: Your client secret is only visible when first created. Store all credentials in a secure location before proceeding to the next step.
Step 2 — Creating the Runway SSO configuration
Once you’ve securely saved your client ID, secret, and issuer details, you’re ready to begin the configuration on Runway.
To get started, ensure that your Enterprise workspace is currently selected by reviewing the top left corner of the web app:
Tip: If your Enterprise workspace is not active, click the dropdown, Switch Workspace, and select the workspace you’d like to configure SSO on.
Click your user icon in the top right corner and select Workspace settings. Next, click the SSO tab.
If you do not see the SSO tab, ensure that you are an Admin or Billing Admin on the workspace.
Select + New SSO config to open the configuration form. Enter in the following details from the previous step:
- Type – Okta, Azure, or other
- Client Id – The randomly generated identifier made upon creation of the app integration with your IDP
- Client secret – The secret value only shared between your IDP and Runway
-
Issuer – Will look something like
https://{value}.{idp}.com
Before submitting, please cross-check the details and ensure that your Issuer URL does not include a trailing slash:
✅ https://{value}.{idp}.com❌ https://{value}.{idp}.com/Click Submit to send the details.
Step 3 — Finalizing the SSO Configuration
After submitting your SSO configuration, verify domain ownership by sending an email to enterprises@runwayml.com from the domain you're configuring.
In your message, please specify if you need:
- A custom policy to expand SSO coverage across your domain
- Automatic workspace enrollment for new users who sign up to Runway
Runway cannot process SSO configurations or make account changes when contacted by non-administrative account holders. Please note that:
- The email must be sent from an administrator's email address associated with your account
- The sender must have administrative privileges on the Runway account
Testing the SSO Configuration
New SSO policies are temporarily configured with an optional policy. This allows members to test the configuration before requiring SSO for the domain and prevents domain-wide interruptions in the event of a configuration error.
Our team will verify your request and notify you via email once the SSO configuration is ready to test. Test the configuration with the following steps:
- Log out of your account
- Sign back in using the Use Single Sign-On (SSO) option
Important: The Use Single Sign-On (SSO) option must be selected to test SSO. Choosing any other sign in method will not validate the configuration.
After successfully logging in with SSO on your account, we highly recommend asking other members to follow these steps as well. Broadly testing at this phase will help you identity and resolve IDP permission issues without members fully losing access.
Once confirmed that the SSO login broadly works, please respond to the email. The team will then update the policy based on your specific requirements across the entire domain.
Using SSO After Setup
Your workspace will use Runway’s default SSO policies if custom policies are not indicated in your email:
Domain-based SSO requirements
Users with email addresses matching your registered domain(s) must use SSO to access your organization's Runway workspace. These users can still access other workspaces using username/password authentication.
Users with email domains outside your registered domains can log into your workspace using standard username/password credentials.
Workspace enrollment
Users signing into Runway with personal accounts remain in their individual workspaces until an admin explicitly adds them to the Enterprise workspace.
Platform compatibility
SSO is currently unavailable on Runway for iOS. Use Runway mobile web or desktop to access SSO functionality.
If you encounter issues once the setup is complete, please get in touch with our support team.