---
title: "Set up single sign-on"
description: "Learn how to set up single sign-on (SSO) to log in to the Customer Area."
url: "https://docs.adyen.com/account/single-sign-on/set-up-sso"
source_url: "https://docs.adyen.com/account/single-sign-on/set-up-sso.md"
canonical: "https://docs.adyen.com/account/single-sign-on/set-up-sso"
last_modified: "2026-05-25T12:55:01+02:00"
language: "en"
---

# Set up single sign-on

Learn how to set up single sign-on (SSO) to log in to the Customer Area.

[View source](/account/single-sign-on/set-up-sso.md)

Single sign-on (SSO) lets you use the same set of credentials to securely access several other services, like email service or your Customer Area.

The Customer Area supports SSO based on the [Security Assertion Markup Language (SAML) 2.0 protocol](https://en.wikipedia.org/wiki/SAML_2.0). SSO solutions that use the SAML 2.0 protocol include identity providers like Okta, Azure, and Microsoft AD FS.

## Before you start

To set up SSO for the Customer Area you need:

* An SSO solution that supports the SAML 2.0 protocol.
* A Customer Area [company account](/account/account-structure#company-account). You cannot set up SSO with a [merchant account](/account/account-structure#merchant-accounts).
* A user with one of the following [roles](/account/user-roles): **Merchant admin** or **Merchant user management**
* Accept the legal notice about SSO. This must be done by someone authorized to represent your organization.

Recommended:

* Keep at least one admin user that doesn't log in using SSO so that you can troubleshoot issues.

## Add the Customer Area to your identity provider

Get the following information from your service provider:

| Adyen field name | Okta                                      | AD FS                          | Azure                                | Google      |
| ---------------- | ----------------------------------------- | ------------------------------ | ------------------------------------ | ----------- |
| **SSO URL**      | Single sign-on URL                        | Assertion Consumer Service URL | Reply URL (AssertionConsumerService) | Sign-on URL |
| **Entity ID**    | Audience URI                              | Identifier                     | Identifier (Entity ID)               | Entity ID   |
| **Name ID**      | Name ID format (Must be an email address) | IssuanceTransformRules         | Unique User Identifier               | -           |
| **Response**     | Response                                  | MessageAndAssertion            | Response                             | Response    |

The metadata file needs to be permanently hosted on a cloud service that is publicly accessible on your end and use it as the Sign-on URL.

### Step 1: Get the Customer Area metadata URL

First, do the following in your [test Customer Area](https://ca-test.adyen.com/). Then, repeat it in your [live Customer Area](https://ca-live.adyen.com/).

1. Go to **Settings** > **Single sign-on** and select **Start configuration**.
2. Under **Service provider configuration**, find either the **SSO URL** or **AssertionConsumerService**. Select **Copy URL**.\
   You need this URL to configure your identity provider.

### Step 2: Configure your identity provider

For Google as your identity provider: the metadata file needs to be permanently hosted on a cloud service that is publicly accessible on your end and use it as the Sign-on URL.\
Make sure that the metadata file is not encrypted.

In your identity provider's interface, do the following:

1. Add the URL you copied from the **Service provider configuration** in the Customer Area.
2. Enable SAML2 request signing.
3. Enable SAML2 response signing.
4. In the **SubjectNameID** field, enter an email address. For example, **test\@company.com**.\
   If Azure is your identity provider, you must enable the response and assertion (**Sign SAML response and assertion**) signing option in the Azure user interface.
5. Get your identity provider's metadata URL. This is required to configure the service provider in your Customer Area.

### Step 3: Configure the service provider in the Customer Area

1. In your Customer Area, go to **Settings** > **Single sign-on**.
2. Under **Identity provider configuration**, in the **Metadata URL** field, enter your identity provider's metadata URL. You can [change the metadata URL later](#change-the-metadata-url) if you need to.\
   If Azure is your identity provider, enter **App federation Metadata Url** in the input field.
3. Select **Fetch configuration**.
4. Check that the fetched details are correct.
5. Select **Save configuration**.

After doing this, you can start testing SSO. Your existing users do not automatically have SSO enabled, so you must:

* [Create users](#create-users-sso) who log in to the Customer Area using SSO.
* [Migrate existing users](/account/single-sign-on/migrate-users-to-sso) to SSO.

If you experience issues with your SSO configuration for Customer Area, contact our [Support Team](https://ca-test.adyen.com/ca/ca/contactUs/support.shtml?form=other).

### Change the metadata URL

1. In your Customer Area, go to **Settings** > **Single sign-on**.
2. Under **Identity provider configuration**, select edit icon **for **Metadata URL**.
3. Select **Fetch new configuration**.
4. After fetching the metadata URL, select **Save configuration**.

## Create users who log in to the Customer Area using SSO

The person who you create the user for must already have an account with the identity provider your organization uses. You can create the user either in your Customer Area or by making a Management API request.

### Tab: Customer Area

### In your Customer Area

You must have one of the following roles:

* Merchant admin
* Merchant user management

To create new users to login through your identity provider:

1. Log in to your Customer Area.

2. Go to **Account** > **Users**.

3. On the right top of the page, select **Create new user**.

4. For **User details**:

   * Select the **SSO** option as the login method.
   * Enter a unique email, a first name, and a last name for the new user. The email address will be the user's username.

5. Select **Continue**.

6. For **Accounts**, you can choose whether this user will have access to all associated merchants accounts or specific groups and accounts.

7. Select **Continue**.

8. For **Roles**, you can only assign roles that your own user already has. For a list of all possible roles, see [user roles](/account/user-roles).

9. Select **Continue**.

10. In the **Summary** page you can check and edit the details, accounts, and roles you assigned to the new user.

11. Select **Create new user**.

### Tab: Management API request

### Make a Management API request

The Management API endpoint you use depends on the type of SSO user:

* For one with access to a [company account](/account/account-structure#company-account), make a **POST** [/companies/{companyId}/users](https://docs.adyen.com/api-explorer/Management/latest/post/companies/\(companyId\)/users) request.
* For one with access to a [merchant account](/account/account-structure#merchant-accounts), make a **POST** [/merchants/{merchantId}/users](https://docs.adyen.com/api-explorer/Management/latest/post/merchants/\(merchantId\)/users) request.

Both requests include:

| Field                        | Description                                                                                                                                       |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| `name`                       | The user's first and last name.                                                                                                                   |
| `loginMethod`                | **SSO**                                                                                                                                           |
| `email`                      | The user's email address.                                                                                                                         |
| `username`                   | The user's email address that will be their username. This must be the same as the one in the `email` field.                                      |
| `timeZoneCode`               | The [tz database name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) of the time zone of the user. For example, Europe/Amsterdam. |
| `roles`                      | The [user roles](/account/user-roles) to assign to this user. You can only assign the ones that your own user already has.                        |
| `accountGroups`              | The list of [account groups](/account/account-structure#account-groups) associated with this user.                                                |
| `associatedMerchantAccounts` | The list of [merchant accounts](/account/account-structure#merchant-accounts) this user can log in to.                                            |

**API request to create a company account user**

```bash
curl https://management-test.adyen.com/v3/companies/{companyId}/users \
-H 'x-API-key: ADYEN_API_KEY' \
-H 'content-type: application/json' \
-d '{
    "name": {
        "firstName": "FIRST_NAME",
        "lastName": "LAST_NAME"
    },
    "loginMethod": "SSO",
    "email": "EMAIL_ADDRESS",
    "username": "EMAIL_ADDRESS",
    "timeZoneCode": "Europe/Amsterdam",
    "roles": [],
    "accountGroups": [],
    "associatedMerchantAccounts": []
}'
```

You get a response with the HTTP **200** response code if the user was created. If there's an error, check the [error message](/development-resources/response-handling#error-response-fields) in the response.

The new user receives an email with a link to verify their email address for their Customer Area account.

If you have questions or feedback, get in touch with your Adyen contact.