Set up Single Sign-On (SSO) for RevenueCat

This guide walks you through enabling and configuring Single Sign-On (SSO) for your RevenueCat account.

SSO is currently available for customers on an Enterprise plan.

How SSO works in RevenueCat

Once SSO is enabled, users with your organization’s email domain will be required to sign in to RevenueCat through SSO.
SSO is enforced at the account/organization level for the configured email domain.

What you’ll need before you start

Roles

Someone on your team who can manage your identity provider (for example, configuring SAML/OIDC and SCIM).

Identity provider requirements

Your identity provider must support:

SAML or OpenID Connect (OIDC) for authentication, such as Okta, Azure AD, Google Workspace, AWS Cognito, etc.
SCIM provisioning for directory sync

Step-by-step: Enable SSO

1) Request your SSO setup link

Contact your RevenueCat account manager to request SSO enablement. You’ll receive a secure setup link that allows you to connect SSO and directory sync for your organization to RevenueCat.

2) Configure SSO and Directory Sync

Using the setup link, configure your identity provider to connect to RevenueCat:

Set up SSO using SAML or OIDC
Enable SCIM directory sync

3) Create groups in your identity provider

In your identity provider, create (or select) groups that correspond to the RevenueCat roles you want to grant (for example, Admin, Developer, Support, or View Only).

If a user belongs to multiple groups, RevenueCat will grant the highest role.

4) Map SSO groups to RevenueCat roles

In the RevenueCat dashboard:

Go to Project Settings → Collaborators

Collaborators

Add an SSO Group
Select the RevenueCat role that group should receive

SSO group to role mapping interface

Changes may take a few minutes to sync.

Role precedence (highest wins):

Admin
Developer
Growth
Support
View Only

Mapping SSO groups updates project collaborators and may affect currently signed-in users.

5) Activate SSO

When configuration is complete, go to Account > Security > SSO and click Activate SSO.

SSO activation button in security settings

After activation, users with your configured email domain will be required to sign in using SSO.

Validation checklist

After activating SSO, we recommend verifying the following:

At least one admin can sign in via SSO
Users receive the correct project access based on group mappings
Group and role changes sync successfully (allow a few minutes)

FAQ

What happens if a user is in multiple SSO groups?

The user is granted the highest applicable role based on role precedence.

Do I need to configure SSO group mappings for each project?

Yes. Collaborator access is managed per project, so role mappings must be set up individually for each project.

How SSO works in RevenueCat​

What you’ll need before you start​

Roles​

Identity provider requirements​

Step-by-step: Enable SSO​

1) Request your SSO setup link​

2) Configure SSO and Directory Sync​

3) Create groups in your identity provider​

4) Map SSO groups to RevenueCat roles​

5) Activate SSO​

Validation checklist​

FAQ​

What happens if a user is in multiple SSO groups?​

Do I need to configure SSO group mappings for each project?​