{"title":"Set up single sign-on","category":"default","creationDate":1776961629,"content":"<p>Single sign-on (SSO) lets you use the same set of credentials to securely access several other services, like email service or your Customer Area.<br \/>\nThe Customer Area supports SSO based on the <a href=\"https:\/\/en.wikipedia.org\/wiki\/SAML_2.0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Security Assertion Markup Language (SAML) 2.0 protocol<\/a>. SSO solutions that use the SAML 2.0 protocol include identity providers like Okta, Azure, and Microsoft AD FS.<\/p>\n<h2>Before you start<\/h2>\n<p>To set up SSO for the Customer Area you need:<\/p>\n<ul>\n<li>An SSO solution that supports the SAML 2.0 protocol.<\/li>\n<li>A Customer Area <a href=\"\/pt\/account\/account-structure#company-account\">company account<\/a>. You cannot set up SSO with a <a href=\"\/pt\/account\/account-structure#merchant-accounts\">merchant account<\/a>.<\/li>\n<li>A user with one of the following <a href=\"\/pt\/account\/user-roles\">roles<\/a>: <strong>Merchant admin<\/strong> or <strong>Merchant user management<\/strong><\/li>\n<li>Accept the legal notice about SSO. This must be done by someone authorized to represent your organization.<\/li>\n<\/ul>\n<p>Recommended:<\/p>\n<ul>\n<li>Keep at least one admin user that doesn't log in using SSO, so that you can troubleshoot issues.<\/li>\n<\/ul>\n<h2>Add the Customer Area to your identity provider<\/h2>\n<p>Get the following information from your service provider:<\/p>\n\n<div id=\"tabkeCtq\">\n    <div data-component-wrapper=\"tabs\">\n        <tabs\n                        :items=\"[{&quot;title&quot;:&quot;Okta&quot;,&quot;content&quot;:&quot;\\n&lt;table&gt;\\n&lt;thead&gt;\\n&lt;tr&gt;\\n&lt;th&gt;Adyen field name&lt;\\\/th&gt;\\n&lt;th&gt;Okta&lt;\\\/th&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/thead&gt;\\n&lt;tbody&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;SSO URL&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Single sign-on URL&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Entity ID&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Audience URI&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Name ID&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Name ID format (Must be an email address)&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Response&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Response&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/tbody&gt;\\n&lt;\\\/table&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;okta_0_1&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;AD FS&quot;,&quot;content&quot;:&quot;\\n&lt;table&gt;\\n&lt;thead&gt;\\n&lt;tr&gt;\\n&lt;th&gt;Adyen field name&lt;\\\/th&gt;\\n&lt;th&gt;AD FS&lt;\\\/th&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/thead&gt;\\n&lt;tbody&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;SSO URL&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Assertion Consumer Service URL&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Entity ID&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Identifier&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Name ID&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;IssuanceTransformRules&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Response&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;MessageAndAssertion&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/tbody&gt;\\n&lt;\\\/table&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;ad_fs_1_2&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;Azure&quot;,&quot;content&quot;:&quot;\\n&lt;table&gt;\\n&lt;thead&gt;\\n&lt;tr&gt;\\n&lt;th&gt;Adyen field name&lt;\\\/th&gt;\\n&lt;th&gt;Azure&lt;\\\/th&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/thead&gt;\\n&lt;tbody&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;SSO URL&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Reply URL (AssertionConsumerService)&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Entity ID&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Identifier (Entity ID)&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Name ID&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Unique User Identifier&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Response&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Response&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/tbody&gt;\\n&lt;\\\/table&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;azure_2_3&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;Google&quot;,&quot;content&quot;:&quot;\\n&lt;table&gt;\\n&lt;thead&gt;\\n&lt;tr&gt;\\n&lt;th&gt;Adyen field name&lt;\\\/th&gt;\\n&lt;th&gt;Google&lt;\\\/th&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/thead&gt;\\n&lt;tbody&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;SSO URL&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Sign-on URL&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Entity ID&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Entity ID&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Name ID&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;-&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;strong&gt;Response&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;td&gt;Response&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/tbody&gt;\\n&lt;\\\/table&gt;\\n&lt;div class=\\&quot;notices green\\&quot;&gt;\\n&lt;p&gt;The metadata file needs to be permanently hosted on a cloud service that is publicly accessible on your end and use it as the Sign-on URL.&lt;\\\/p&gt;\\n&lt;\\\/div&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;google_3_4&quot;,&quot;relation&quot;:&quot;&quot;}]\"\n            :should-update-when-url-changes='false'>\n        <\/tabs>\n    <\/div>\n<\/div>\n\n<h3 id=\"get-customer-area-metadata-url\">Step 1: Get the Customer Area metadata URL<\/h3>\n<p>First, do the following in your <a href=\"https:\/\/ca-test.adyen.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">test Customer Area<\/a>. Then, repeat it in your <a href=\"https:\/\/ca-live.adyen.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">live Customer Area<\/a>.<\/p>\n<ol>\n<li>Go to <strong>Settings<\/strong> &gt; <strong>Single sign-on<\/strong> and select <strong>Start configuration<\/strong>.<\/li>\n<li>Under <strong>Service provider configuration<\/strong>, find either the <strong>SSO URL<\/strong> or <strong>AssertionConsumerService<\/strong>. Select <strong>Copy URL<\/strong>.<br \/>\nYou need this URL to configure your identity provider.<\/li>\n<\/ol>\n<h3>Step 2: Configure your identity provider<\/h3>\n<div class=\"notices green\">\n<p>For Google as your identity provider: the metadata file needs to be permanently hosted on a cloud service that is publicly accessible on your end and use it as the Sign-on URL. <br> Make sure that the metadata file is not encrypted.<\/p>\n<\/div>\n<p>In your identity provider's interface, do the following:<\/p>\n<ol>\n<li>Add the URL you copied from the <strong>Service provider configuration<\/strong> in the Customer Area.<\/li>\n<li>Enable SAML2 request signing.<\/li>\n<li>Enable SAML2 response signing.<\/li>\n<li>In the <strong>SubjectNameID<\/strong> field, enter an email address. For example, <strong>test@company.com<\/strong>.<br \/>\nIf Azure is your identity provider, you must enable the response and assertion (<strong>Sign SAML response and assertion<\/strong>) signing option in the Azure user interface.<\/li>\n<li>Get your identity provider's metadata URL. This is required to configure the service provider in your Customer Area.<\/li>\n<\/ol>\n<h3 id=\"configure-service-provider-in-customer-area\">Step 3: Configure the service provider in the Customer Area<\/h3>\n<ol>\n<li>In your Customer Area, go to <strong>Settings<\/strong> &gt; <strong>Single sign-on<\/strong>.<\/li>\n<li>Under <strong>Identity provider configuration<\/strong>, in the <strong>Metadata URL<\/strong> field, enter your identity provider's metadata URL. You can <a href=\"#change-the-metadata-url\">change the metadata URL later<\/a> if you need to.<br \/>\nIf Azure is your identity provider, enter <strong>App federation Metadata Url<\/strong> in the input field.<\/li>\n<li>Select <strong>Fetch configuration<\/strong>.<\/li>\n<li>Check that the fetched details are correct.<\/li>\n<li>Select <strong>Save configuration<\/strong>.<\/li>\n<\/ol>\n<p>After doing this, you can start testing SSO. Your existing users do not automatically have SSO enabled, so you must:<\/p>\n<ul>\n<li><a href=\"#create-users-sso\">Create users<\/a> who log in to the Customer Area using SSO.<\/li>\n<li><a href=\"\/pt\/account\/single-sign-on\/migrate-users-to-sso\">Migrate existing users<\/a> to SSO.<\/li>\n<\/ul>\n<div class=\"notices green\">\n<p>If you experience issues with your SSO configuration for Customer Area, contact our <a href=\"https:\/\/ca-test.adyen.com\/ca\/ca\/contactUs\/support.shtml?form=other\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Support Team<\/a>.<\/p>\n<\/div>\n<h3 id=\"change-the-metadata-url\">Change the metadata URL<\/h3>\n<ol>\n<li>In your Customer Area, go to <strong>Settings<\/strong> &gt; <strong>Single sign-on<\/strong>.<\/li>\n<li>Under <strong>Identity provider configuration<\/strong>, select edit icon <i class=\"adl-icon-edit\"><\/i> for <strong>Metadata URL<\/strong>.<\/li>\n<li>Select <strong>Fetch new configuration<\/strong>.<\/li>\n<li>After fetching the metadata URL, select <strong>Save configuration<\/strong>.<\/li>\n<\/ol>\n<h2 id=\"create-users-sso\">Create users who log in to the Customer Area using SSO<\/h2>\n<p>The person who you create the user for must already have an account with the identity provider your organization uses. You can create the user either in your Customer Area or by making a Management API request.<\/p>\n\n<div id=\"tab3EbMg\">\n    <div data-component-wrapper=\"tabs\">\n        <tabs\n                        :items=\"[{&quot;title&quot;:&quot;Customer Area&quot;,&quot;content&quot;:&quot;\\n&lt;h3&gt;In your Customer Area&lt;\\\/h3&gt;\\n&lt;p&gt;You must have one of the following roles:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;Merchant admin&lt;\\\/li&gt;\\n&lt;li&gt;Merchant user management&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;To create new users to login through your identity provider:&lt;\\\/p&gt;\\n&lt;ol&gt;\\n&lt;li&gt;Log in to your Customer Area.&lt;\\\/li&gt;\\n&lt;li&gt;Go to &lt;strong&gt;Account&lt;\\\/strong&gt; &amp;gt; &lt;strong&gt;Users&lt;\\\/strong&gt;.&lt;\\\/li&gt;\\n&lt;li&gt;On the right top of the page, select &lt;strong&gt;Create new user&lt;\\\/strong&gt;.&lt;\\\/li&gt;\\n&lt;li&gt;For &lt;strong&gt;User details&lt;\\\/strong&gt;:\\n&lt;ul&gt;\\n&lt;li&gt;Select the &lt;strong&gt;SSO&lt;\\\/strong&gt; option as the login method.&lt;\\\/li&gt;\\n&lt;li&gt;Enter a unique email, a first name, and a last name for the new user. The email address will be the user&#039;s username.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;&lt;\\\/li&gt;\\n&lt;li&gt;Select &lt;strong&gt;Continue&lt;\\\/strong&gt;.&lt;\\\/li&gt;\\n&lt;li&gt;For &lt;strong&gt;Accounts&lt;\\\/strong&gt;, you can choose whether this user will have access to all associated merchants accounts or specific groups and accounts.&lt;\\\/li&gt;\\n&lt;li&gt;Select &lt;strong&gt;Continue&lt;\\\/strong&gt;.&lt;\\\/li&gt;\\n&lt;li&gt;For &lt;strong&gt;Roles&lt;\\\/strong&gt;, you can only assign roles that your own user already has. For a list of all possible roles, see &lt;a href=\\&quot;\\\/pt\\\/account\\\/user-roles\\&quot;&gt;user roles&lt;\\\/a&gt;.&lt;\\\/li&gt;\\n&lt;li&gt;Select &lt;strong&gt;Continue&lt;\\\/strong&gt;.&lt;\\\/li&gt;\\n&lt;li&gt;In the &lt;strong&gt;Summary&lt;\\\/strong&gt; page you can check and edit the details, accounts, and roles you assigned to the new user.&lt;\\\/li&gt;\\n&lt;li&gt;Select &lt;strong&gt;Create new user&lt;\\\/strong&gt;.&lt;\\\/li&gt;\\n&lt;\\\/ol&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;customer_area_0_1&quot;,&quot;relation&quot;:&quot;&quot;},{&quot;title&quot;:&quot;Management API request&quot;,&quot;content&quot;:&quot;\\n&lt;h3&gt;Make a Management API request&lt;\\\/h3&gt;\\n&lt;p&gt;The Management API endpoint you use depends on the type of SSO user:&lt;\\\/p&gt;\\n&lt;ul&gt;\\n&lt;li&gt;For one with access to a &lt;a href=\\&quot;\\\/pt\\\/account\\\/account-structure#company-account\\&quot;&gt;company account&lt;\\\/a&gt;, make a &lt;strong&gt;POST&lt;\\\/strong&gt;  &lt;a href=\\&quot;https:\\\/\\\/docs.adyen.com\\\/api-explorer\\\/Management\\\/latest\\\/post\\\/companies\\\/(companyId)\\\/users\\&quot; class=\\&quot;codeLabel  external-link no-image\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot;&gt;\\\/companies\\\/{companyId}\\\/users&lt;\\\/a&gt; request.&lt;\\\/li&gt;\\n&lt;li&gt;For one with access to a &lt;a href=\\&quot;\\\/pt\\\/account\\\/account-structure#merchant-accounts\\&quot;&gt;merchant account&lt;\\\/a&gt;, make a &lt;strong&gt;POST&lt;\\\/strong&gt;  &lt;a href=\\&quot;https:\\\/\\\/docs.adyen.com\\\/api-explorer\\\/Management\\\/latest\\\/post\\\/merchants\\\/(merchantId)\\\/users\\&quot; class=\\&quot;codeLabel  external-link no-image\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot;&gt;\\\/merchants\\\/{merchantId}\\\/users&lt;\\\/a&gt; request.&lt;\\\/li&gt;\\n&lt;\\\/ul&gt;\\n&lt;p&gt;Both requests include:&lt;\\\/p&gt;\\n&lt;table&gt;\\n&lt;thead&gt;\\n&lt;tr&gt;\\n&lt;th&gt;Field&lt;\\\/th&gt;\\n&lt;th&gt;Description&lt;\\\/th&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/thead&gt;\\n&lt;tbody&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;code&gt;name&lt;\\\/code&gt;&lt;\\\/td&gt;\\n&lt;td&gt;The user&#039;s first and last name.&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;code&gt;loginMethod&lt;\\\/code&gt;&lt;\\\/td&gt;\\n&lt;td&gt;&lt;strong&gt;SSO&lt;\\\/strong&gt;&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;code&gt;email&lt;\\\/code&gt;&lt;\\\/td&gt;\\n&lt;td&gt;The user&#039;s email address.&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;code&gt;username&lt;\\\/code&gt;&lt;\\\/td&gt;\\n&lt;td&gt;The user&#039;s email address that will be their username. This must be the same as the one in the &lt;code&gt;email&lt;\\\/code&gt; field.&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;code&gt;timeZoneCode&lt;\\\/code&gt;&lt;\\\/td&gt;\\n&lt;td&gt;The &lt;a href=\\&quot;https:\\\/\\\/en.wikipedia.org\\\/wiki\\\/List_of_tz_database_time_zones\\&quot; target=\\&quot;_blank\\&quot; rel=\\&quot;nofollow noopener noreferrer\\&quot; class=\\&quot;external-link no-image\\&quot;&gt;tz database name&lt;\\\/a&gt; of the time zone of the user. For example, Europe\\\/Amsterdam.&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;code&gt;roles&lt;\\\/code&gt;&lt;\\\/td&gt;\\n&lt;td&gt;The &lt;a href=\\&quot;\\\/pt\\\/account\\\/user-roles\\&quot;&gt;user roles&lt;\\\/a&gt; to assign to this user. You can only assign the ones that your own user already has.&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;code&gt;accountGroups&lt;\\\/code&gt;&lt;\\\/td&gt;\\n&lt;td&gt;The list of &lt;a href=\\&quot;\\\/pt\\\/account\\\/account-structure#account-groups\\&quot;&gt;account groups&lt;\\\/a&gt; associated with this user.&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;tr&gt;\\n&lt;td&gt;&lt;code&gt;associatedMerchantAccounts&lt;\\\/code&gt;&lt;\\\/td&gt;\\n&lt;td&gt;The list of &lt;a href=\\&quot;\\\/pt\\\/account\\\/account-structure#merchant-accounts\\&quot;&gt;merchant accounts&lt;\\\/a&gt; this user can log in to.&lt;\\\/td&gt;\\n&lt;\\\/tr&gt;\\n&lt;\\\/tbody&gt;\\n&lt;\\\/table&gt;\\n&lt;div data-component-wrapper=\\&quot;code-sample\\&quot;&gt;\\n    &lt;code-sample :title=\\&quot;&#039;API request to create a company account user&#039;\\&quot; :id=\\&quot;&#039;&#039;\\&quot; :code-data=\\&quot;[{&amp;quot;language&amp;quot;:&amp;quot;bash&amp;quot;,&amp;quot;tabTitle&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;content&amp;quot;:&amp;quot;curl https:\\\\\\\/\\\\\\\/management-test.adyen.com\\\\\\\/v3\\\\\\\/companies\\\\\\\/{companyId}\\\\\\\/users \\\\\\\\\\\\n-H &#039;x-API-key: ADYEN_API_KEY&#039; \\\\\\\\\\\\n-H &#039;content-type: application\\\\\\\/json&#039; \\\\\\\\\\\\n-d &#039;{\\\\n    \\\\&amp;quot;name\\\\&amp;quot;: {\\\\n        \\\\&amp;quot;firstName\\\\&amp;quot;: \\\\&amp;quot;FIRST_NAME\\\\&amp;quot;,\\\\n        \\\\&amp;quot;lastName\\\\&amp;quot;: \\\\&amp;quot;LAST_NAME\\\\&amp;quot;\\\\n    },\\\\n    \\\\&amp;quot;loginMethod\\\\&amp;quot;: \\\\&amp;quot;SSO\\\\&amp;quot;,\\\\n    \\\\&amp;quot;email\\\\&amp;quot;: \\\\&amp;quot;EMAIL_ADDRESS\\\\&amp;quot;,\\\\n    \\\\&amp;quot;username\\\\&amp;quot;: \\\\&amp;quot;EMAIL_ADDRESS\\\\&amp;quot;,\\\\n    \\\\&amp;quot;timeZoneCode\\\\&amp;quot;: \\\\&amp;quot;Europe\\\\\\\/Amsterdam\\\\&amp;quot;,\\\\n    \\\\&amp;quot;roles\\\\&amp;quot;: [],\\\\n    \\\\&amp;quot;accountGroups\\\\&amp;quot;: [],\\\\n    \\\\&amp;quot;associatedMerchantAccounts\\\\&amp;quot;: []\\\\n}&#039;&amp;quot;}]\\&quot; :enable-copy-link-to-code-block=\\&quot;true\\&quot; :code-sample-card-size=\\&quot;&#039;fullsize&#039;\\&quot;&gt;&lt;\\\/code-sample&gt;\\n&lt;\\\/div&gt;\\n&lt;p&gt;You get a response with the HTTP &lt;strong&gt;200&lt;\\\/strong&gt; response code if the user was created. If there&#039;s an error, check the &lt;a href=\\&quot;\\\/pt\\\/development-resources\\\/response-handling#error-response-fields\\&quot;&gt;error message&lt;\\\/a&gt; in the response.&lt;\\\/p&gt;\\n&quot;,&quot;altTitle&quot;:null,&quot;oldTabId&quot;:&quot;management_api_request_1_2&quot;,&quot;relation&quot;:&quot;&quot;}]\"\n            :should-update-when-url-changes='false'>\n        <\/tabs>\n    <\/div>\n<\/div>\n\n<p>The new user receives an email with a link to verify their email address for their Customer Area account.<\/p>\n<p>If you have questions or feedback, get in touch with your Adyen contact.<\/p>","url":"https:\/\/docs.adyen.com\/pt\/account\/single-sign-on\/set-up-sso","articleFields":{"description":"Learn how to set up single sign-on (SSO) to log in to the Customer Area.","feedback_component":true,"filters_component":false,"page_id":"e69ce6ed-9c79-4000-9f51-40a809cee894","decision_tree":"[]"},"algolia":{"url":"https:\/\/docs.adyen.com\/pt\/account\/single-sign-on\/set-up-sso","title":"Set up single sign-on","content":"Single sign-on (SSO) lets you use the same set of credentials to securely access several other services, like email service or your Customer Area.\nThe Customer Area supports SSO based on the Security Assertion Markup Language (SAML) 2.0 protocol. SSO solutions that use the SAML 2.0 protocol include identity providers like Okta, Azure, and Microsoft AD FS.\nBefore you start\nTo set up SSO for the Customer Area you need:\n\nAn SSO solution that supports the SAML 2.0 protocol.\nA Customer Area company account. You cannot set up SSO with a merchant account.\nA user with one of the following roles: Merchant admin or Merchant user management\nAccept the legal notice about SSO. This must be done by someone authorized to represent your organization.\n\nRecommended:\n\nKeep at least one admin user that doesn't log in using SSO, so that you can troubleshoot issues.\n\nAdd the Customer Area to your identity provider\nGet the following information from your service provider:\n\n\n    \n        \n        \n    \n\n\nStep 1: Get the Customer Area metadata URL\nFirst, do the following in your test Customer Area. Then, repeat it in your live Customer Area.\n\nGo to Settings &gt; Single sign-on and select Start configuration.\nUnder Service provider configuration, find either the SSO URL or AssertionConsumerService. Select Copy URL.\nYou need this URL to configure your identity provider.\n\nStep 2: Configure your identity provider\n\nFor Google as your identity provider: the metadata file needs to be permanently hosted on a cloud service that is publicly accessible on your end and use it as the Sign-on URL.  Make sure that the metadata file is not encrypted.\n\nIn your identity provider's interface, do the following:\n\nAdd the URL you copied from the Service provider configuration in the Customer Area.\nEnable SAML2 request signing.\nEnable SAML2 response signing.\nIn the SubjectNameID field, enter an email address. For example, test@company.com.\nIf Azure is your identity provider, you must enable the response and assertion (Sign SAML response and assertion) signing option in the Azure user interface.\nGet your identity provider's metadata URL. This is required to configure the service provider in your Customer Area.\n\nStep 3: Configure the service provider in the Customer Area\n\nIn your Customer Area, go to Settings &gt; Single sign-on.\nUnder Identity provider configuration, in the Metadata URL field, enter your identity provider's metadata URL. You can change the metadata URL later if you need to.\nIf Azure is your identity provider, enter App federation Metadata Url in the input field.\nSelect Fetch configuration.\nCheck that the fetched details are correct.\nSelect Save configuration.\n\nAfter doing this, you can start testing SSO. Your existing users do not automatically have SSO enabled, so you must:\n\nCreate users who log in to the Customer Area using SSO.\nMigrate existing users to SSO.\n\n\nIf you experience issues with your SSO configuration for Customer Area, contact our Support Team.\n\nChange the metadata URL\n\nIn your Customer Area, go to Settings &gt; Single sign-on.\nUnder Identity provider configuration, select edit icon  for Metadata URL.\nSelect Fetch new configuration.\nAfter fetching the metadata URL, select Save configuration.\n\nCreate users who log in to the Customer Area using SSO\nThe person who you create the user for must already have an account with the identity provider your organization uses. You can create the user either in your Customer Area or by making a Management API request.\n\n\n    \n        \n        \n    \n\n\nThe new user receives an email with a link to verify their email address for their Customer Area account.\nIf you have questions or feedback, get in touch with your Adyen contact.","type":"page","locale":"pt","boost":17,"hierarchy":{"lvl0":"Home","lvl1":"Account","lvl2":"Single sign-on","lvl3":"Set up single sign-on"},"hierarchy_url":{"lvl0":"https:\/\/docs.adyen.com\/pt","lvl1":"https:\/\/docs.adyen.com\/pt\/account","lvl2":"https:\/\/docs.adyen.com\/pt\/account\/single-sign-on","lvl3":"\/pt\/account\/single-sign-on\/set-up-sso"},"levels":4,"category":"Account","category_color":"green","tags":["single","sign-on"]}}