SSO/Login & User Permissions
      Back to home
      1. Help Center
      2. Payer Knowledge Base
      3. SSO/Login & User Permissions

      SSO Integration with PaymentWorks

      PaymentWorks supports Single Sign-On (SSO) integration to simplify user access and management through your organization’s Identity Provider (IdP). This guide explains the integration process, supported environments, required attributes, user provisioning, permissions, and security features.

      PaymentWorks as a SAML2 Service Provider

      PaymentWorks is a SAML2-compliant Service Provider (SP) supporting integrations with various Identity Providers, including Shibboleth and ADFS.

      • SSO allows customers to onboard users efficiently and manage them via their own IdP.

      PaymentWorks SSO Environments

      • Sandbox Environment:

        • URL: sandbox.paymentworks.com
        • Used for configuring and testing integrations between PaymentWorks and your IdP.
        • Recommended: Use a test user (with no permissions) to verify setup.

      • Production Environment:

        • URL: www.paymentworks.com
        • Configurations are migrated here after successful testing in the sandbox.

      Required Attributes for SSO

      PaymentWorks requires the following SAML attributes:

      Friendly Name SAML Name Description
      givenName urn:oid:2.5.4.42 First name of the user.
      surName urn:oid:2.5.4.4 Last name of the user.
      email urn:oid:0.9.2342.19200300.100.1.3 User’s email address.
      name_id urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress Unique user identifier (e.g., UPN or Username). Provided in the subject block of the assertion.

      User Provisioning and Access

      1. SSO URL:

        • After registering your metadata with PaymentWorks, you’ll receive a login URL formatted as:
          https://www.paymentworks.com/login/saml/?idp=yourorg
        • Replace yourorg with your organization’s unique key.

      2. User Creation:

        • First-time access via the SSO URL automatically creates a new user in PaymentWorks associated with your IdP.

      3. Default Role:

        • Users are provisioned with the Initiator role, which grants basic permissions to send invitations and track onboarding statuses.
        • Additional roles can be assigned by your PaymentWorks administrator.

      4. Permissions:

        • Role-based permissions determine user access to specific features.

      Logout Functionality

      • SP-Initiated Logout:
        • PaymentWorks terminates the session upon logout and can redirect users to a custom post-logout URL.
      • Limitations:
        • IdP-initiated Single LogOut (SLO) is not supported.

      Customizable Security Features

      1. Non-Encrypted Assertions:

        • PaymentWorks can disable encryption if your IdP does not support it.

      2. Post-Logout Redirect URL:

        • Configure a custom URL to redirect users after logout.

      3. Attribute-Based Authentication Rules:

        • Create rules to exclude specific users (e.g., students) based on attribute values.

      Service Provider Limitations

      1. Dynamic Role Provisioning:

        • Roles must be managed manually in PaymentWorks and cannot be dynamically assigned via SAML assertions.

      2. SLO Support:

        • IdP-initiated or SP-initiated Single LogOut (SLO) is not supported.