Person-circle icon

Set up single sign-on

Learn how to set up single sign-on (SSO) to log in to the Customer Area.

Single sign-on (SSO) lets you use the same set of credentials to securely access several other services, like email service or your Customer Area.
The Customer Area supports SSO based on the Security Assertion Markup Language (SAML) 2.0 protocol. SSO solutions that use the SAML 2.0 protocol include identity providers like Okta, Azure, and Microsoft AD FS.

Before you start

To set up SSO for the Customer Area you need:

  • An SSO solution that supports the SAML 2.0 protocol.
  • A Customer Area company account. You cannot set up SSO with a merchant account.
  • A user with one of the following roles: Merchant admin or Merchant user management
  • Accept the legal notice about SSO. This must be done by someone authorized to represent your organization.

Recommended:

  • Keep at least one admin user that doesn't log in using SSO, so that you can troubleshoot issues.

Add the Customer Area to your identity provider

Get the following information from your service provider:

Step 1: Get the Customer Area metadata URL

First, do the following in your test Customer Area. Then, repeat it in your live Customer Area.

  1. Go to Settings > Single sign-on and select Start configuration.
  2. Under Service provider configuration, find either the SSO URL or AssertionConsumerService. Select Copy URL.
    You need this URL to configure your identity provider.

Step 2: Configure your identity provider

In your identity provider's interface, do the following:

  1. Add the URL you copied from the Service provider configuration in the Customer Area.
  2. Enable SAML2 request signing.
  3. Enable SAML2 response signing.
  4. In the SubjectNameID field, enter an email address. For example, test@company.com.
    If Azure is your identity provider, you must enable the response and assertion (Sign SAML response and assertion) signing option in the Azure user interface.
  5. Get your identity provider's metadata URL. This is required to configure the service provider in your Customer Area.

Step 3: Configure the service provider in the Customer Area

  1. In your Customer Area, go to Settings > Single sign-on.
  2. Under Identity provider configuration, in the Metadata URL field, enter your identity provider's metadata URL. You can change the metadata URL later if you need to.
    If Azure is your identity provider, enter App federation Metadata Url in the input field.
  3. Select Fetch configuration.
  4. Check that the fetched details are correct.
  5. Select Save configuration.

After doing this, you can start testing SSO. Your existing users do not automatically have SSO enabled, so you must:

If you experience issues with your SSO configuration for Customer Area, contact our Support Team.

Change the metadata URL

  1. In your Customer Area, go to Settings > Single sign-on.
  2. Under Identity provider configuration, select edit icon for Metadata URL.
  3. Select Fetch new configuration.
  4. After fetching the metadata URL, select Save configuration.

Create users who log in to the Customer Area using SSO

The person who you create the user for must already have an account with the identity provider your organization uses. You can create the user either in your Customer Area or by making a Management API request.

The new user receives an email with a link to verify their email address for their Customer Area account.

If you have questions or feedback, get in touch with your Adyen contact.