SAML Single Sign-On (SSO)
Manage access to Render with your identity provider.
SAML SSO requires an Enterprise plan. This is currently an early access feature.
To request SAML SSO for your organization, please contact us.
Enterprise organizations on Render can enforce single sign-on (SSO) via a SAML 2.0-compatible identity provider (IdP), such as Okta.
Non-Enterprise workspaces can enforce other login settings, such as requiring login via Google account.
Setup
During the early access period, SSO setup requires assistance from the Render team.
We’ll work with you directly to complete the steps below.
1. Add your existing workspaces to an Enterprise organization
As part of setting up your Enterprise plan, Render creates a new organization for your team and adds all of your existing workspaces to it.
+ What is a Render organization?
Each non-Enterprise Render plan includes a single workspace that contains all associated services, projects, and other resources:
With an Enterprise plan, Render creates a higher-level organization that can contain multiple workspaces:
Each workspace in an organization has its own member list, role assignments, and other settings.
You designate at least one member of your organization to receive the Org Owner role. After the early access period completes, these members will be able to manage SSO settings (along with other organization-level settings) without assistance from Render.
2. Verify domain ownership
Render needs to verify that you own any domains you’re configuring for SSO. To enable this, you add a TXT record with a Render-provided value to each domain’s DNS configuration.
Consult your DNS provider’s documentation for instructions on adding a TXT record.
3. Check email addresses for all organization members
In the Render Dashboard, open your organization’s Members page. Review the email address associated with each existing member. If any member doesn’t use an email address that’s managed by your IdP, they will lose access to the organization after SSO-based login is enforced.
Affected team members can do one of the following:
- Create a new Render account with their IdP-managed email address
- Update their existing account to use their IdP-managed email address
After you enforce SSO, all accounts managed by your IdP must use SSO to log in, even to view workspaces outside your organization.
4. Provide your IdP’s metadata
In your IdP’s admin console, create a new SAML 2.0 application for Render. Then, provide Render with the application’s associated metadata URL or file. During the early access period, we’ll apply these values to your organization.
5. Enable optional SSO login
Render enables SSO as a login method for all members of your organization. Members can still log in to Render using other methods, such as their Google account or email/password.
During this period, encourage your team members to log in with SSO to confirm that the flow works as expected.
6. Enforce required SSO login
Render disables all login methods besides SSO for your organization.
- Members with an IdP-managed email address now must use SSO to log in.
- Members without an IdP-managed email address lose access to the organization.
- For details, see step 3.
Adding new members
After you enable SSO, new team members automatically join your organization the first time they log in to Render via SSO.
New members do not not automatically join any workspaces in your organization. An Org Owner or workspace admin can invite new members to individual workspaces as needed.
FAQ
How do I request SSO for my organization?
Please contact us.
Can I use SSO with a non-Enterprise plan?
No. SSO is available only with an Enterprise plan.
Can I use SSO with multiple identity providers?
No. Each Render organization can connect only one IdP for SSO.
Does Render SSO support OIDC or other non-SAML protocols?
Not at this time. SAML 2.0 is currently the only supported protocol for Render SSO.