What Is This and Why Does It Matter?
Your Paytronix account is being migrated to Access Identity, our new unified login platform. This migration unlocks access to Rewards and other Evo-powered features now available on your account.
As part of this migration, we'll configure SSO Federation β which means your team will log in to Paytronix using your company's existing credentials (through your identity provider, such as Microsoft Azure AD or Okta) instead of a separate Paytronix username and password. Once it's live, there's nothing your end users need to install or change.
How the Setup Works
The setup has two parts:
Your IT team completes Step 1 β a one-time configuration in your identity provider (IdP).
Paytronix completes the rest β once we have the values from your IT team, we handle configuration, work with you on testing, and go-live on our end.
Before You Start
Confirm the following before beginning:
Your Paytronix account agreement has Federation enabled. (If you're unsure, ask your Customer Success Manager.)
Your identity provider supports OpenID Connect (OIDC) and is publicly accessible via HTTPS.
All Paytronix users at your organization use email addresses on a company-controlled domain (e.g., yourcompany.com). Shared domains like gmail.com or outlook.com are not supported.
Step 1: Register Paytronix in Your Identity Provider
This step is completed by your IT admin. Find your identity provider below and follow the instructions.
Critical β use this URL exactly as the Redirect URI in all steps below:
This is the most common source of setup failures. Do not use identity.accessacloud.com β that is a different URL and will not work.
Microsoft Entra ID (Azure AD)
Part A: Create an Enterprise Application
An Enterprise Application is not required, but it lets the app appear on your company's SSO portal. Skip this part if you don't need it there.
Open the Azure Portal β Azure Active Directory β Enterprise applications
Click Create your own application
Name the application (e.g., "Paytronix" or "Access Identity")
Select Integrate any other application you don't find in the gallery (Non-gallery)
Click Create
Go to Users and Groups and add the users or groups who should have SSO access
Part B: Configure the App Registration
Go to Azure Portal β Azure Active Directory β App registrations
Click New registration (or open the Enterprise Application you just created)
Enter a name (e.g., "Access Identity" or "Paytronix SSO")
Click Register
From the Overview page, copy the Application (client) ID and Directory (tenant) ID β you'll need to provide both to Paytronix
Part C: Configure Authentication
Go to Authentication β Add a platform β select Web
Set the Redirect URI to: https://identity.us.access-evo.com/auth/oidc/callback
Under Implicit grant and hybrid flows, check ID tokens (used for implicit and hybrid flows)
Under Supported account types, select Accounts in this organizational directory only
Click Save
Part D: Configure API Permissions
Go to API permissions β Add a permission
Add the following Microsoft Graph delegated permissions: email and openid
Click Grant admin consent for [your organization]
Part E: Create a Client Secret
Go to Certificates & secrets
Click New client secret
Enter a description and set an expiration period
Click Add
Important: Copy and save the secret Value immediately β it is only shown once. You can always create a new one if needed.
What to Send to Paytronix
Item | Where to Find It |
Application (client) ID | App registration β Overview |
Directory (tenant) ID | App registration β Overview |
Client Secret Value | Certificates & secrets (copy immediately after creation) |
Employee email domain(s) | The domain after @ in your employee emails (e.g., yourcompany.com) |
Note on email claims: By default, Azure AD does not pass the email claim in the ID token. This is expected β Paytronix will look up the email via a secondary request. If you use a custom field for email addresses, let your Paytronix contact know.
Okta
Part A: Create an App Integration
In Okta, go to Applications β Create App Integration
Set the following:
Sign-in method: OIDC β OpenID Connect
Application type: Web Application
Part B: Configure Redirect URIs
Set the Sign-in redirect URI to: https://identity.us.access-evo.com/auth/oidc/callback
Set the Sign-out redirect URI to: https://identity.us.access-evo.com/
Complete the app creation
Part C: Configure the Sign On Tab
Go to the app's Sign On tab
Under OpenID Connect ID Token, confirm the Issuer is set to your Okta URL (e.g., https://your-company.okta.com)
Part D: Assign Users
Go to the Assignments tab
Assign the users and/or groups who should have access to Paytronix
What to Send to Paytronix
Item | Where to Find It |
Client ID | App Integration β General tab β Client Credentials |
Client Secret | App Integration β General tab β Client Credentials |
Provider Metadata URL | See note below |
Employee email domain(s) | The domain after @ in your employee emails |
Provider Metadata URL depends on your Authorization Server setup:
Org Authorization Server: https://{yourOktaDomain}/.well-known/openid-configuration
Default Custom Authorization Server: https://{yourOktaDomain}/oauth2/default/.well-known/openid-configuration
Other Custom Authorization Servers: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server
The authorizationServerId can be found on the Custom Authorization Server's Settings page in Okta.
AD FS 2016+
Note: AD FS must be version 2016 or later. Earlier versions do not support OpenID Connect and are not compatible with Access Identity Federation.
Part A: Create an Application Group
Open AD FS Management
Navigate to Application Groups β Add Application Group
Name it "Access Identity" (or "Paytronix SSO")
Select the template: Web browser accessing a web application
Copy the generated Client Identifier β you'll need to provide this to Paytronix
Set the Redirect URI to: https://identity.us.access-evo.com/auth/oidc/callback
Set Access control policy to Permit everyone (or your organization's preferred policy)
Part B: Configure Issuance Transform Rules
After creation, edit the Application Group's Web application
Go to Issuance Transform Rules β Add Rule
Select rule type: Send LDAP Attributes as Claims
Configure the rule:
Claim rule name: Email
Attribute store: Active Directory
LDAP Attribute: E-Mail-Addresses
Outgoing Claim Type: E-Mail Address
Part C: Configure Client Permissions
Under Client Permissions, add email as a Permitted scope
What to Send to Paytronix
Item | Where to Find It |
Client Identifier | Generated during Application Group creation |
AD FS Server FQDN | Your AD FS server's fully qualified domain name |
Employee email domain(s) | The domain after @ in your employee emails |
Other OIDC Providers (OneLogin, Google Workspace, Custom)
For identity providers not listed above, your IT team needs to complete the following steps.
Part A: Register the Application
In your identity provider's admin console, create a new OIDC/OAuth 2.0 application
Set the application type to Web Application
Set the Redirect URI / Callback URL to: https://identity.us.access-evo.com/auth/oidc/callback
Part B: Ensure Required Scopes and Claims
Confirm the application requests the openid and email scopes
Confirm the email claim is included in the ID token
The email address in your IdP must match the email address on each user's Paytronix account exactly
What to Send to Paytronix
Item | Where to Find It |
Client ID | Your IdP's application settings |
Authority URL / Issuer URL | Your IdP's OIDC configuration page |
Employee email domain(s) | The domain after @ in your employee emails |
Common Authority URLs by provider:
OneLogin: https://{subdomain}.onelogin.com/oidc/2
Google Workspace: https://accounts.google.com
Other: Contact your Paytronix team
Step 2: What Happens After You Send Us the Values
Once your IT team provides the information above, Paytronix will:
Configure Federation settings in Access Identity using the values you've provided
Run a test login to verify everything is working correctly
Verify ownership of your email domain (we'll add a DNS TXT record β your IT team may need to assist)
Confirm with you that your users have been assigned to the app in your IdP
Enable the domain β at this point, your team is live on Access Identity
We'll keep you informed at each stage and won't enable the domain until you've confirmed a successful test.
Troubleshooting
Symptom | Likely Cause | What to Do |
Federation test fails immediately | Incorrect Redirect URI | Verify the Redirect URI is exactly https://identity.us.access-evo.com/auth/oidc/callback with no trailing slash |
Test shows IdP login but fails after sign-in | Email claim not returned in the ID token | For AD FS: verify the Issuance Transform Rule and that the email scope is permitted. For other IdPs: confirm the email claim is included in the ID token |
Domain verification fails | DNS propagation delay or incorrect TXT record | Allow up to 48 hours for DNS propagation. Confirm the TXT record value starts with access-domain-verification= |
Users can't access Rewards or Evo features after go-live | Email mismatch between PXS and IdP | Confirm that each user's email in Paytronix exactly matches their email in the IdP |
Test user works but other users fail | Users not assigned to the app in the IdP | Azure AD: check Users and Groups on the Enterprise Application. Okta: check the Assignments tab. AD FS: check access control policies |
Questions?
Contact you Paytronix Support or visit the Access Identity FAQ.