Skip to main content

Search

Enterprise Single Sign-On (SSO)


This feature is currently available to users on Enterprise plans.

For some organizations on Enterprise plans, sign-in is facilitated through your native SSO process. Users will log in with the email/password/MFA set up by the organization.

 

Frequently asked questions

Q: What is OIDC-based SSO?

OIDC-based SSO stands for OpenID Connect-based Single Sign-On. It is an authentication protocol that allows the members of your organization to log in to multiple applications or services using a single set of credentials. Your members are first redirected away from Runway to log in. When they’ve completed logging in with your organization, they’re then redirected back with a code that instructs Runway to log them in (or register them) with a particular email address.

 

Q: What is the SSO domain?

SSO ties all of the users from a specific domain to the users of the owner of that domain. Typically, the portion of your organization's email format after the @ defines your domain. 

 

Q: Can multiple domains be added for a single workspace?

Yes, but they must all use the same IDP with the same configuration. You cannot currently have multiple OIDC providers for a single workspace.

 

Q: Can external domains, like gmail.com, be supported for SSO?

Unfortunately, no. This is a limitation of SSO. Your organization must control the domain name that you are setting up SSO for. Users who are not on that domain can still be added to the workspace using the existing non-SSO tools but will not log in with SSO.

 

Q: Does Runway Enterprise SSO support SAML?

At this time, no.

 

Q: How do I know if my organization's IDP (Identity Provider) supports OIDC?

A majority of the common IDP providers do, including: Okta, Ping Identity, Google, Auth0, and Azure AD. If unsure, your organization's Identity Team should know.

 

Getting started with SSO

From you

To set up SSO with Runway, please send the following information to enterprises@runwayml.com. You can get the following details from your SSO IDP:

  • A client ID and client secret unique to Runway
  • The Discovery URL, Authorization URL, and Token URL

We also need to know all email domain urls that users will be SSO signing in on that are managed by your OIDC portal – for example, some companies have users with either @companyName.com or @cmpnyNm.com and we’d need to enable each domain.

 

From us

Additionally, you'll need to know these Runway-specific SSO details to complete set up:

  • It’s a web application (not a single page application or SPA, or a native/mobile application)
  • The “grant type” is “authorization code”
  • Our redirect URL is https://app.runwayml.com/sso-redirect

 

What to expect once SSO is set up

The default policies for Runway SSO are:

  • All users whose email addresses end with the domain name of your organization's SSO set up will be required to use SSO to log in to Runway, regardless of the workspace they're logging in to.
  • Users logging into Runway with their own individual accounts or workspaces will not be automatically routed into the organization's Enterprise workspace and will be allowed to remain in their individual accounts. 

Please include in your message to us if you require a custom policy to limit the application of SSO on your domain, or if you would like new users signing up to Runway to be auto-added to the Enterprise workspace.