Using Single Sign-On (SSO)

Single Sign-On (SSO) is an account security feature that authenticates users and grants access to applications. Only Facilitators & Referrers can use the SSO feature to log in.

Single Sign-On utilizes Security Assertion Markup Language (SAML 2.0) or OpenID Connect (1.0) protocols to defer user authentication to your chosen IdP and provide identity data for platform access control.

To use Single Sign-On, you must set up a domain with an Identity Provider (IdP) such as OneLogin, Google, Microsoft, or Okta.

Warning: Facilitators and Referrers are still required to use Multi-Factor Authentication (MFA).

See the expandable content below for a brief comparison of authentication protocols:

 

SAML 2.0

OpenID Connect 1.0

 

SAML 2.0

OpenID Connect 1.0

Supported Protocols

XML, HTTP, SOAP, & all other XML-friendly protocols.

XRDS & HTTP

Validation Process

Validated through chosen IdP intermediary service response.

Validated through OAuth server response.

Access Response

SAML authentication “assertion” is generated by the intermediary IdP service to grant access.

A temporary access token is granted by the IdP server to grant access.

Supporting Identity Providers

  • Okta

  • OneLogin

  • SalesForce

  • SiteMinder

  • Google

  • Microsoft

  • Okta

Benefits of Single Sign-On

Enhanced Security

  • Leverage authentication decisions defined through your IdP, such as password and authentication policies.

  • Revoke compromised user access to the Portal in minutes.

Seamless Access Management

  • Optimize new team member onboarding with Portal access using sign-in credentials created by your business for access to multiple applications.

  • Streamline existing team members' Portal access without requiring a Payrix Login ID.


Additional Resources

Visit the links below to learn more about different authentication protocols:


Getting Started with Single Sign-On

Once you have chosen your preferred IdP and are ready to enable SSO for the Payrix Platform, follow the instructions below for the protocol you’re using:

OneLogin Setup

OneLogin - How to Implement SAML

For this example, we will be using OneLogin. Follow your IdP instructions for connection.

Step 1: Access the Single Sign-On menu

  1. In the OneLogin app, access the SAML application and click Configurations.

  2. In the Portal, navigate to Settings > Business Settings (Settings category) > Hosts > Single Sign-On and click the “edit” button.

  3. Select SAML2.0 from the “Single Sign-On Protocol” drop-down and copy the Entity ID and Single Logout URL.

  4. From the Portal, paste the Entity ID and Single Logout URL into the corresponding fields on the Configurations tab in OneLogin.

  5. Click Save in the Configurations tab.

Step 2: Enable OneLogin Single Sign-On

  1. In the OneLogin app, navigate to the SSO tab.

  2. Copy the following fields from OneLogin and paste them in the Portal Single Sign-On menu fields:

OneLogin App (Copy)

Payrix Portal (Paste)

Notes

OneLogin App (Copy)

Payrix Portal (Paste)

Notes

Issuer URL

Entity ID

 

SAML 2.0 Endpoint (HTTP)

SAML 2.0 Endpoint

 

SLO Endpoint (HTTP)

Single Logout Service Endpoint

 

XL509 certificate

XL509

To see the XL509 certificate field in OneLogin, click the “View Details” button.

Step 3: Apply Single Sign-On Configuration

  1. In the Portal, click the checkmark (where the edit button was) to confirm and save the changes.

  2. Navigate to the Profile page and click the Update Single Sign-On button.

Done.

Your new Single Sign-On setup is complete.

OneLogin - How to Implement with OpenID

For this example, we will be using OneLogin. Follow your IdP instructions for connection.

Step 1: Access the Single Sign-On menu

  1. In the OneLogin app, access the OpenID application and click Configurations.

  2. In the Portal, navigate to Settings > Business Settings (Settings category) > Hosts > Single Sign-On and click the “edit” button.

  3. Select OpenID from the “Single Sign-On Protocol” drop-down and copy the Redirect URLs; paste them in the Redirect URLs section of the OneLogin Configurations tab app.

Step 2: Enable OneLogin Single Sign-On

  1. In the OneLogin app, navigate to the SSO tab.

  2. Copy the following fields from OneLogin and paste them into the Portal Single Sign-On menu fields:

OneLogin App (Copy)

Payrix Portal (Paste)

Notes

OneLogin App (Copy)

Payrix Portal (Paste)

Notes

Issuer URL

Entity ID

 

Client ID

Client ID

 

Client Secret

Client Secret

Click “show” to reveal the secret to be copied.

Step 3: Apply Single Sign-On Configuration

  1. In the Portal, click the checkmark (where the edit button was) to confirm and save the changes.

  2. Navigate to the Profile page and click the Update Single Sign-On button.

Done.

Your new Single Sign-On setup is complete.


Google

Google - How to Implement SAML

For this example, we will be using Google. Follow your IdP instructions for connection.

Step 1: Setup in Google Admin

  1. From the home page of the Google Admin console, navigate to Apps->SAML Apps and click: Add App > Add custom SAML app.

  2. Add a name into the App Details page.

  3. Download the IdP metadata or Copy the SSO URL, Entity ID, and download the Certificate; then, click Continue.

Step 2: Enable Access to Portal

  1. In the Portal, go to the Single Sign-On menu.

  2. Copy these fields from the Single Sign-On menu and paste them into the Service Provider Details window of the Google Admin console. Then click Finish

Payrix Portal →

Google Admin console

Payrix Portal →

Google Admin console

ACS URL

ACS URL

Entity ID

Entity ID

Start URL

Start URL

Step 3: Turn on your SAML App

  1. From the Google Admin console, go to Apps and select your new SAML app.

  2. Click User Access, then locate the On/Off for Everyone toggle.

    1. On for everyone - Enables SSO with SAML for everyone in your Google organization.

    2.  Off for everyone - Disables SSO with SAML for everyone in your Google organization.

  3. When finished, click Save.

Step 3: Enable SSO for a Host

  1. In the Portal, navigate to Settings > Business Settings (Settings category) > Hosts

  2. Locate the desired Hostname and click on their listing. You will be taken to their Profile page.

  3. In the Profile page, click Features, locate Single Sign-On within the menu, and toggle it to On.