Overview
Single Sign-on (SSO) is a service that allows users to use one set of login credentials for multiple applications. Paytronix understands the importance of SSO in an enterprise strategy and has, therefore, made it available for PXS login.
Introduction and Pre-Requisites
This page contains information about setting up SSO for logging into the PXS. It covers details about implementing SSO, recommendations for turning on the feature, and other information. This feature is free for all PXS customers to use, and allows customers to set their own password or 2FA requirements for users through their identity provider. This feature is self-service for customers.
In order to use SSO, customers must have an Identity Provider set up for their organization that supports OpenID Connect protocol for user authentication. Two common providers for this include Azure Active Directory and Okta, but the PXS can support any provider with OpenID Connect.
NOTE: Organizations using Access Identity Unified Login cannot implement traditional SSO configurations, as Access Identity serves as the unified authentication system for all Paytronix products. If you are unsure if your organization uses Access Identity or SSO, please contact your IT administrator to confirm which authentication system your organization has implemented.
Configuration
To configure SSO, log into the Paytronix merchant portal. On the left navigation bar, under the section "User Administration," click the link "SSO Administration." If you do not see this link, please reach out to Paytronix at [email protected] to add the necessary permission.
Once you have the permission, log into the Paytronix merchant portal. On the left navigation bar, "User Administration," click the link "SSO Administration." On this page, you can add in the URL, Client ID and Client Secret for your IdP. If you use Okta or AAD as an IdP, Paytronix can provide specific instructions for creating/finding the URL, Client ID and Client Secret.
Implementation and Testing Considerations
Once SSO is configured, all users in your merchant will be required to log in using SSO. If there are users you would like to exempt from SSO, you can do so using the Enforce Login with SSO checkbox on that user’s account. You can see this setting by going to the Manage Other Users page and selecting a user to view, similar to how you would manage other user setting like email address or permissions.
Common users to exempt users from SSO are external users who administer your Paytronix program, like agency team members who create emails or add stores to the platform.
You may also want to create a backup operations user exempt from SSO, in case you need to log into the system without SSO for troubleshooting or to disable SSO altogether.
We encourage customers to test the SSO setup on the training or staging server before turning it on for all users.
SSO will use the email address associated with a user to determine if they can log in with SSO and to match a PXS user with a user in the identity provider. You should make sure that any users logging in with SSO have the correct email address on file in the PXS under the Manage Other Users page. There are specific notes about which IdP email field will be matched in the Azure and Okta setup guides.
User Login
When SSO is turned on, users must log in using the “Log in with SSO” flow from the PXS login page. They should enter the email associated with their PXS user on the second page to be logged into the correct merchant. Individual users will no longer be able to log in with a username and password. They cannot use the “Forgot Password?” link on the login page and their password cannot be edited on the Manage Other Users page.
How to Setup Specific Software
For instructions on how to do things directly inside your framework, please see the appropriate article below:
Merchant User SSO AzureAD Setup
Merchant User SSO Okta Setup