Set up single sign-on

Learn how to set up single sign-on (SSO) to log in to the Customer Area.

Single sign-on (SSO) lets you use the same set of credentials to securely access several other services, like email service or your Customer Area.
The Customer Area supports SSO based on the Security Assertion Markup Language (SAML) 2.0 protocol. SSO solutions that use the SAML 2.0 protocol include identity providers like Okta, Azure, and Microsoft AD FS.

Before you start

To set up SSO for the Customer Area you need:

An SSO solution that supports the SAML 2.0 protocol.
A Customer Area company account. You can't set up SSO with a merchant account.
A user with one of the following roles: Merchant admin or Merchant user management
Accept the legal notice about SSO. This must be done by someone authorized to represent your organization.

Recommended:

Keep at least one admin user that doesn't log in using SSO, so that you can troubleshoot issues.

Add the Customer Area to your identity provider

Get the following information from your service provider:

Adyen field name	Okta
SSO URL	Single sign-on URL
Entity ID	Audience URI
Name ID	Name ID format (Must be an email address)
Response	Response

Adyen field name	AD FS
SSO URL	Assertion Consumer Service URL
Entity ID	Identifier
Name ID	IssuanceTransformRules
Response	MessageAndAssertion

Adyen field name	Azure
SSO URL	Reply URL (AssertionConsumerService)
Entity ID	Identifier (Entity ID)
Name ID	Unique User Identifier
Response	Response

Adyen field name	Google
SSO URL	Sign-on URL
Entity ID	Entity ID
Name ID	-
Response	Response

Step 1: Get the Customer Area metadata URL

First, do the following in your test Customer Area. Then, repeat it in your live Customer Area.

Go to Settings > Single sign-on and select Start configuration.
Under Service provider configuration, find either the SSO URL or AssertionConsumerService. Select Copy URL.
You need this URL to configure your identity provider.

Step 2: Configure your identity provider

In your identity provider's interface, do the following:

Add the URL you copied from the Service provider configuration in the Customer Area.
Enable SAML2 request signing.
Enable SAML2 response signing.
In the SubjectNameID field, enter an email address. For example, test@company.com.
If Azure is your identity provider, you must enable the response and assertion (Sign SAML response and assertion) signing option in the Azure user interface.
Get your identity provider's metadata URL. This is required to configure the service provider in your Customer Area.

Step 3: Configure the service provider in the Customer Area

In your Customer Area, go to Settings > Single sign-on.
Under Identity provider configuration, in the Metadata URL field, enter your identity provider's metadata URL. You can change the metadata URL later if you need to.
If Azure is your identity provider, enter App federation Metadata Url in the input field.
Select Fetch configuration.
Check that the fetched details are correct.
Select Save configuration.

After doing this, you can start testing SSO. Your existing users don't automatically have SSO enabled, so you must:

Create users who log in to the Customer Area using SSO.
Migrate existing users to SSO.

If you experience issues with your SSO configuration for Customer Area, contact our Support Team.

Change the metadata URL

In your Customer Area, go to Settings > Single sign-on.
Under Identity provider configuration, select edit icon for Metadata URL.
Select Fetch new configuration.
After fetching the metadata URL, select Save configuration.

Create users who log in to the Customer Area using SSO

The person who you create the user for must already have an account with the identity provider your organization uses. You can create the user either in your Customer Area or by making a Management API request.

In your Customer Area

You must have one of the following roles:

Merchant admin
Merchant user management

To create new users to login through your identity provider:

Log in to your Customer Area.
Go to Settings > Users.
On the right top of the page, select Create new user.
For User details:
- Select the SSO option as the login method.
- Enter a unique email, a first name, and a last name for the new user. The email address will be the user's username.
Select Continue.
For Accounts, you can choose whether this user will have access to all associated merchants accounts or specific groups and accounts.
Select Continue.
For Roles, you can only assign roles that your own user already has. For a list of all possible roles, see user roles.
Select Continue.
In the Summary page you can check and edit the details, accounts, and roles you assigned to the new user.
Select Create new user.

The new user receives an email with a link to verify their email address for their Customer Area account.

If you have questions or feedback, get in touch with your Adyen contact.

Field	Description
`name`	The user's first and last name.
`loginMethod`	SSO
`email`	The user's email address.
`username`	The user's email address that will be their username. This must be the same as the one in the `email` field.
`timeZoneCode`	The tz database name of the time zone of the user. For example, Europe/Amsterdam.
`roles`	The user roles to assign to this user. You can only assign the ones that your own user already has.
`accountGroups`	The list of account groups associated with this user.
`associatedMerchantAccounts`	The list of merchant accounts this user can log into.