Single Sign-On (SSO) is an account security feature that authenticates users and grants access to applications. Only Facilitators & Referrers can use the SSO feature to log in.
Single Sign-On utilizes Security Assertion Markup Language (SAML 2.0) or OpenID Connect (1.0) protocols to defer user authentication to your chosen IdP and provide identity data for platform access control.
To use Single Sign-On, you must set up a domain with an Identity Provider (IdP) such as OneLogin, Google, Microsoft, or Okta.
See the expandable content below for a brief comparison of authentication protocols:
Comparing SAML 2.0 & OpenID Connect 1.0
| SAML 2.0 | OpenID Connect 1.0 |
|---|
Supported Protocols | XML, HTTP, SOAP, & all other XML-friendly protocols. | XRDS & HTTP |
Validation Process | Validated through chosen IdP intermediary service response. | Validated through OAuth server response. |
Access Response | SAML authentication “assertion” is generated by the intermediary IdP service to grant access. | A temporary access token is granted by the IdP server to grant access. |
Supporting Identity Providers | Okta OneLogin SalesForce SiteMinder
| |
Benefits of Single Sign-On
Enhanced Security
Leverage authentication decisions defined through your IdP, such as password and authentication policies.
Revoke compromised user access to the Portal in minutes.
Seamless Access Management
Optimize new team member onboarding with Portal access using sign-in credentials created by your business for access to multiple applications.
Streamline existing team members' Portal access without requiring a Payrix Login ID.
Additional Resources
Visit the links below to learn more about different authentication protocols:
Getting Started with Single Sign-On
Once you have chosen your preferred IdP and are ready to enable SSO for the Payrix Platform, follow the instructions below for the protocol you’re using:
OneLogin Setup
OneLogin - How to Implement SAML
For this example, we will be using OneLogin. Follow your IdP instructions for connection.
Instructions - OneLogin SAML
In the OneLogin app, access the SAML application and click Configurations.
In the Portal, navigate to Settings > Business Settings (Settings category) > Hosts > Single Sign-On and click the “edit” button.
Select SAML2.0 from the “Single Sign-On Protocol” drop-down and copy the Entity ID and Single Logout URL.
From the Portal, paste the Entity ID and Single Logout URL into the corresponding fields on the Configurations tab in OneLogin.
Click Save in the Configurations tab.
Step 2: Enable OneLogin Single Sign-On
In the OneLogin app, navigate to the SSO tab.
Copy the following fields from OneLogin and paste them in the Portal Single Sign-On menu fields:
OneLogin App (Copy) | Payrix Portal (Paste) | Notes |
|---|
Issuer URL | Entity ID | |
SAML 2.0 Endpoint (HTTP) | SAML 2.0 Endpoint | |
SLO Endpoint (HTTP) | Single Logout Service Endpoint | |
XL509 certificate | XL509 | To see the XL509 certificate field in OneLogin, click the “View Details” button. |
Step 3: Apply Single Sign-On Configuration
In the Portal, click the checkmark (where the edit button was) to confirm and save the changes.
Navigate to the Profile page and click the Update Single Sign-On button.
Done.
Your new Single Sign-On setup is complete.
OneLogin - How to Implement with OpenID
For this example, we will be using OneLogin. Follow your IdP instructions for connection.
Instructions - OneLogin OpenID
In the OneLogin app, access the OpenID application and click Configurations.
In the Portal, navigate to Settings > Business Settings (Settings category) > Hosts > Single Sign-On and click the “edit” button.
Select OpenID from the “Single Sign-On Protocol” drop-down and copy the Redirect URLs; paste them in the Redirect URLs section of the OneLogin Configurations tab app.
Step 2: Enable OneLogin Single Sign-On
In the OneLogin app, navigate to the SSO tab.
Copy the following fields from OneLogin and paste them into the Portal Single Sign-On menu fields:
OneLogin App (Copy) | Payrix Portal (Paste) | Notes |
|---|
Issuer URL | Entity ID | |
Client ID | Client ID | |
Client Secret | Client Secret | Click “show” to reveal the secret to be copied. |
Step 3: Apply Single Sign-On Configuration
In the Portal, click the checkmark (where the edit button was) to confirm and save the changes.
Navigate to the Profile page and click the Update Single Sign-On button.
Done.
Your new Single Sign-On setup is complete.
Google
Google - How to Implement SAML
For this example, we will be using Google. Follow your IdP instructions for connection.
Instructions - Google SAML
Step 1: Setup in Google Admin
From the home page of the Google Admin console, navigate to Apps->SAML Apps and click: Add App > Add custom SAML app.
Add a name into the App Details page.
Download the IdP metadata or Copy the SSO URL, Entity ID, and download the Certificate; then, click Continue.
Step 2: Enable Access to Portal
In the Portal, go to the Single Sign-On menu.
Copy these fields from the Single Sign-On menu and paste them into the Service Provider Details window of the Google Admin console. Then click Finish
Payrix Portal → | Google Admin console |
|---|
ACS URL | ACS URL |
Entity ID | Entity ID |
Start URL | Start URL |
Step 3: Turn on your SAML App
From the Google Admin console, go to Apps and select your new SAML app.
Click User Access, then locate the On/Off for Everyone toggle.
On for everyone - Enables SSO with SAML for everyone in your Google organization.
Off for everyone - Disables SSO with SAML for everyone in your Google organization.
When finished, click Save.
Step 3: Enable SSO for a Host
In the Portal, navigate to Settings > Business Settings (Settings category) > Hosts
Locate the desired Hostname and click on their listing. You will be taken to their Profile page.
In the Profile page, click Features, locate Single Sign-On within the menu, and toggle it to On.
.png)
