User Manual
Login
Contact Us
Get quick answers to your questions about Paystack
In this article
Confirm Domain OwnershipSet up your ID Provider to work with PaystackSet up your Paystack Dashboard to work with the ID providerSSO ConfigurationUser Management
Home
Security
Security tools

Single Sign On on the Paystack Dashboard

Edited

Single-Sign-On allows your team manage access to various applications using a single set of credentials through an identity management platform.

The Paystack Dashboard supports Security Assertion Markup Language (SAML) 2.0, an open framework that allows you create users and manage authentication and authorization. Most ID providers also support SAML e.g. Okta, Auth0, Entra ID (formerly known as Azure AD).

Paystack supports the following SSO features

  • Just-In-Time account creation: Automatically create new Paystack accounts for users without existing access upon their first SSO sign-in.

  • Granular Dashboard roles: Assign granular user roles through your IdP.

  • Service Provider-initiated SSO: Initiate SSO login directly from Paystack’s login page.

Single-Sign-On is available on-request to Paystack merchants. Contact our support team at support@paystack.com to enable the feature for your business. You will need to provide an existing admin user on your business to serve as the SSO admin.

Once SSO is enabled for your account, your admin can proceed to set it up from your dashboard settings with these steps

  • Confirm ownership of the email domain(s) your team uses

  • Set up your ID provider to work with Paystack

  • Set up your Paystack Dashboard to work with the ID provider

Confirm Domain Ownership

On the Single Sign-On settings page, click on “Add Domain”

Type in the top level domain you want to verify (e.g. test.com)

You’ll receive a unique TXT record to add to your DNS records to verify domain ownership. Copy this TXT record and set it up on your DNS server.

The verification process should complete immediately. If the domain can’t be verified immediately, wait 24 hours before you retry verification. You can also remove a domain if you choose to.

⚠️ Important to note: You must have at least one verified domain for SSO to remain active on your business.

If the domain is invalid, you’ll will get an error message immediately.

Set up your ID Provider to work with Paystack

Your admin will need to set up the Paystack dashboard as a service or application on your Identity Provider. This represents the relationship between your provider and Paystack.

  • Dashboard SSO URL - The URL where users will be redirected to after authenticating on the ID Provider. This value for Paystack is https://dashboard.paystack.com/login/sso/acs.

  • Audience URL or Entity ID - An identifier for the Paystack Dashboard within the ID provider. This value for Paystack is https://dashboard.paystack.com/login/sso/metadata.

  • Name ID - The identifier that team members have to provide when logging in from the ID Provider’s interface. The value for Paystack is EmailAddress.

  • Security settings - The types of algorithms that will be used to encrypt and sign authentication messages.

  • Role Codes - You can click to copy codes representing the default and custom roles enabled on your Paystack business from the SSO settings page

You can also find the values above when you click on “Manage SAML” from your SSO settings page.

Set up your Paystack Dashboard to work with the ID provider

Once you’ve created the relationship with the Paystack dashboard from your ID provider, you’ll be able to copy the relevant parameters from your provider and complete the connection on the Paystack Dashboard. The fields you’ll need from your ID provider are:

  • Identity Provider Entity ID - A unique identifier from your identity provider.

  • Identity Provider SSO URL - The URL where your dashboard team members are redirected to for them to authenticate

  • ID provider certificate - The certificate your ID provider will use to sign SAML assertions.

To upload these fields on Paystack, click on “Manage SAML” on the Single Sign-On settings page.

SSO Configuration

Once you’ve set up SAML on your business, you can choose how you want users to be able to access your business. There are 2 options

  • On - Your team must use single sign-on to log in.

  • Off - Your team can't use single sign-on and must use their password.

After you finish configuring SSO, you can inform your users to sign in by selecting “Log in with single sign-on (SSO)” on the Paystack Login page.

⚠️ Important to Note: Your SSO Admin will always be able to log in using either their email address and password, or SSO.

User Management

You can give your users access to the Paystack dashboard from your Identity Provider without creating an account for them on Paystack first. Your users will have a Paystack account created for them once they log in.

These accounts can only be managed from your Identity Provider console. This means you’ll only be able to change their roles, or revoke access from the IdP.