For some organizations on Enterprise plans, sign-in is facilitated through your native SSO process. Users will log in with the email/password/MFA set up by the organization.

Contents

• Frequently asked questions
  • What is OIDC-based SSO?
  • What is the SSO domain?
  • Can multiple domains be added for a single workspace?
  • Can external domains, like gmail.com, be supported for SSO?
  • Does Runway Enterprise SSO support SAML?
  • How do I know if my organization's IDP supports OIDC?
• Creating a new OIDC integration
• Configuring SSO for Azure AD or Okta
• Configuring SSO for any other IDP
• What to expect once SSO is set up
• SSO Troubleshooting

Frequently asked questions

Frequently asked questions

Q: What is OIDC-based SSO?

OIDC-based SSO stands for OpenID Connect-based Single Sign-On. It is an authentication protocol that allows the members of your organization to log in to multiple applications or services using a single set of credentials. Your members are first redirected away from Runway to log in. When they've completed logging in with your organization, they're then redirected back with a code that instructs Runway to log them in (or register them) with a particular email address.

Q: What is the SSO domain?

SSO ties all of the users from a specific domain to the users of the owner of that domain. Typically, the portion of your organization's email format after the @ defines your domain. 

Q: Can multiple domains be added for a single workspace?

Yes, you can have multiple IDPs, but they cannot be for the same email domain.

Q: Can external domains, like gmail.com, be supported for SSO?

Unfortunately, no. This is a limitation of SSO. Your organization must control the domain name that you are setting up SSO for. Users who are not on that domain can still be added to the workspace using the existing non-SSO tools but will not log in with SSO.

Q: Does Runway Enterprise SSO support SAML(Security Assertion Markup Language)?

At this time, no. We do not support SAML.

Q: Does Runway Enterprise SSO support SCIM (System for Cross-domain Identity Management)?

At this time, no. We do not support SCIM.

Q: How do I know if my organization's IDP (Identity Provider) supports OIDC?

A majority of the common IDP providers do, including: Okta, Ping Identity, Google, Auth0, and Azure AD. If unsure, your organization's Identity Team should know.

Creating a new OIDC integration

Use the following settings to create the integration:

Completing the integration set up will provide the details needed to configure SSO with Runway.

Configuring SSO for Azure AD or Okta

Organizations using Azure AD or Okta as an IDP can configure SSO from the workspace settings:

1. Navigate to Workspace settings
2. Select the SSO tab
3. Click the New SSO Config button
4. Fill out the following details and click Submit:
   • ClientID
     • for Azure: a UUID
     • for Okta: A 20-character code
   • ClientSecret
     • for Azure: a 40-character code
     • for Okta: a 64-character code
   • Issuer URL
     • for Azure: will look like https://login.microsoftonline.com/{uuid}/v2.0
     • for Okta: will look like https://{something}.okta.com
5. Send us an email as instructed from the domain you want to connect SSO for to confirm ownership of the domain (example: If you want to configure @example.com, you need to email us from an email using that domain).
6. Click Yes, I have emailed Runway after sending the email

The Runway team will complete the setup within 1 business day after receiving the email. Once completed, the SSO information will populate in the SSO policy table.

Configuring SSO for any other IDP

From you

To set up SSO with Runway and any other IDP, please send the following information to our Support team via our in-app chat widget. You can get the following details from your SSO IDP:

• A client ID and client secret unique to Runway
• The Discovery URL, Authorization URL, and Token URL

We also need to know all email domain urls that users will be SSO signing in on that are managed by your OIDC portal – for example, some companies have users with either @companyName.com or @cmpnyNm.com and we'd need to enable each domain.

From us

Additionally, you'll need to know these Runway-specific SSO details to complete set up:

• It's a web application (not a single page application or SPA, or a native/mobile application)
• The "grant type" is "authorization code"
• Our redirect URL is https://app.runwayml.com/sso-redirect

What to expect once SSO is set up

What to expect once SSO is set up

The default policies for Runway SSO are:

• All users whose email addresses end with the registered domain name(s) of your organization's SSO set up will be required to use SSO to log in to your organization's Runway workspace. Users with a matching domain in other workspaces will not be affected and may continue to login using username/password. Users with email domains outside of the registered domain names will be allowed to log into your organization's workspace using username/password.
• Users logging into Runway with their own individual accounts or workspaces will not be automatically added to your enterprise workspace. Users will be in a personal workspace until they are explicitly added to the Enterprise workspace by an admin.
• Please Note: SSO is not currently supported for Runway for iOS. To use SSO, use Runway mobile web or the Runway platform on desktop. 

Please include in your message to us if you require a custom policy to widen the application of SSO on your domain, or if you would like new users signing up to Runway to be auto-added to the Enterprise workspace. 

SSO Troubleshooting

SSO Troubleshooting 

• I am a Runway user and I cannot log into my organization's workspace using SSO.
  • Check with your Runway admin whether your domain is set up for SSO. In some cases, not all organizational domains have been set up for SSO (ie: example.com but not exmpl.com has been set up) and if this is the case your domain will need to be registered.
  • Check with your Runway admin if there is an IdP permissions group set up internally. If this is the case, your name will need to be added to the list to access Runway. 

• I am a Runway admin and a user reached out to me saying they cannot login.
  • Go to Workspace Settings > SSO to confirm that the policy and domains list match your expectations.
  • Ensure that the user is added to any internal IdP permissions groups, if they exist.
  • Contact our team for additional support.
• I am a Runway admin and my SSO configuration stopped working.
  • Contact our team to via the in-app chat widget. Include details about your current configuration.
  • If it has been ~1 year since your initial implementation, check if your Client Secret has expired. If so, please reach out to our Support team via our in-app chat widget.