Overview
Guides
Tutorials
Reference
Maturity
Migration
Community

SAML Single Sign-On

SAML Single Sign-On (SSO) allows workspace members to sign in using your organization’s Identity Provider (IdP), including Okta, Auth0, Microsoft Entra ID, Google Workspace, and more.

New users signing in with your Identity Provider are automatically added to your workspace as workspace members.

Configuring SAML SSO

Screenshot of SAML Settings and Trusted Domains

To configure SAML SSO, go to your workspace’s People settings. You must be a workspace admin with access to your Identity Provider’s configuration panel.

  1. Add your organization’s email domain(s) as Trusted Domains.
  2. In the SAML Single Sign-On section, click Configure and follow the guided setup to connect your Identity Provider to Railway.
  3. Optionally, enforce SAML SSO to require members to log in through your Identity Provider.

Once configured, users can login using SAML SSO using their organization email. Existing users must update their Railway email if it differs from their Identity Provider email.

If you’re a Railway Enterprise customer and don’t see the SAML settings in your workspace, please contact us.

Enforcing SAML SSO

Screenshot of enforcing SAML SSO in a workspace

Workspace admins can enforce SAML SSO to ensure all members access the workspace with your Identity Provider.

  • Enable enforcement by toggling "Members need to login with SAML SSO."
  • Only workspace admins already logged in with SAML SSO can enable enforcement.
  • When enforcement is active, users not authenticated with SAML SSO can’t open the workspace or access its resources.
  • Enforcement takes effect immediately. Active users without SAML authentication will be prompted to re-authenticate.

Note: Enforcement will not limit which login methods a user can use. Because Railway users can be members of multiple workspaces, they can still log in with other methods, but must use SAML SSO to access the SAML-enforced workspace.

Login using SSO

After SAML SSO is enabled, users can log in using their organization’s email by selecting "Log in using Email""Log in using SSO".

Alternatively, go directly to https://railway.com/login#login-saml.

Railway also supports IdP-initiated SSO, allowing users to access Railway directly from their Identity Provider’s dashboard.

Supported Identity Providers

We support all identity providers that use SAML or OIDC, including:

  • Okta
  • Microsoft Entra ID (Azure AD)
  • Auth0
  • Google
  • JumpCloud
  • ADP
  • CAS
  • ClassLink
  • Cloudflare
  • Ping Identity
  • CyberArk
  • Duo
  • Keycloak
  • LastPass
  • Login.gov
  • miniOrange
  • NetIQ
  • OneLogin
  • Oracle
  • Rippling
  • Salesforce
  • Shibboleth
  • SimpleSAMLphp
  • VMware Workspace

and any other provider compatible with SAML or OIDC.

Prev
Project Usage
Next
Support
Edit this file on GitHub