Skip to content

Enable single sign-on with Okta

Last updated: 16th September 2022

This page describes the two main tasks you need to complete as an Okta administrator to enable single-sign on (SSO) for Checkout.com.

The set up described on this page is only required for merchants using SSO.


Initial Okta setup

This first section describes the preliminary steps you need to take.

Step 1: Create a Checkout.com application in Okta

  1. Sign in to your Okta admin portal with Super Admin rights.
  2. In the upper-left corner, select Classic UI to make sure all features are visible.
  3. Select Applications > Create New App > SAML 2.0 > Create.
  4. In the App Name field, enter Checkout.com.
  5. Upload the following App Logo and select Next.

Step 2: Configure the SAML settings

  1. Set Single Sign On URL to http://localhost as a placeholder. Use this for the Recipient URL and Destination URL.
  2. Set Audience URI to http://localhost as a placeholder.
  3. Set Default Relay state to:
    • https://dashboard.checkout.com for production
    • https://dashboard.sandbox.checkout.com for sandbox
  4. Set Name ID to Unspecified.
  5. Set Application username to your Okta username.
  6. Set Update application username on to Create and update.
  7. Leave the default values of the Advanced SAML settings as they are.
  8. Set the Attribute statements as detailed below. These are mandatory attributes for the SAML assertion.
NameName formatValue

firstName

Unspecified

user.firstName

lastName

Unspecified

user.lastName

email

Unspecified

user.email

  1. Set the Groups statements required to propagate your identity provider (IDP) groups as part of the SAML assertion. This is needed to configure access rights by mapping your IDP groups to Checkout.com known roles. To propagate all groups:
NameName formatValue

idpGroups

Unspecified

Matches Regex .*

You can use a more restrictive group regex filter if you'd like.

  1. Select Finish, then Next, to complete the initial setup.

Step 3: Extract the SSO configuration

  1. Go back to the application’s Sign-On tab and select View Setup Instructions.
  2. Copy the Identity Provider Single Sign-On URL.
  3. Copy the Identity Provider Issuer.
  4. Download the certificate.

Step 4: Define group access rights

Checkout.com supports several types of users, all with different levels of access. See Team Permissions for a breakdown of each of these roles.

Create a .json file that defines a mapping between the propagated groups to Checkout.com’s known roles.

For example:

1
2
3
4
5
6
{
"ClientGroup1": "Owner",
"ClientGroup2": "Admin",
"ClientGroup3": "Read Only",
"ClientGroup4": "Read Only"
}

Step 5: Securely share your configuration with Checkout.com

You will be provided with a set of SFTP login credentials with which you will securely share the following configurations:

  • Identity Provider Single Sign-On URL
  • Identity Provider Issuer URL
  • Certificate (.crt file)
  • Mapping of IDP groups to roles (.json file)
  • Corporate email domain(s) (for example, mycompany.com, mycompany.uk)

Our Okta admin will then register your IDP with the above configuration and reach back to you to complete the setup.


Final client Okta setup and testing

This section describes the final steps you need to take.

Step 1: Finalize the SAML settings

  1. Go to the Checkout.com SAML application you previously created.
  2. Select General > SAML Settings > Edit > Next.
  3. Replace the placeholder values for the Single Sign-On URL and the Audience URI with the parameters we previously shared with you.
  4. Select Next, then Finish.

Step 2: Assign the Checkout.com application to users

  1. Go back to the Checkout.com application and select Assignments > Assign to Groups.
  2. Assign the groups defined in the previous steps to the application.

Step 3: Test the two types of login

To test the Okta end-user dashboard (IDP-initiated login):

  1. While signed in as a permitted user, check that a Checkout.com application is visible on the corporate Okta dashboard.
  2. Select the application. If everything is working correctly, it should authenticate you and redirect you to Checkout.com.

To test the Checkout.com login page (SP-initiated login):

  1. Go to either:
  2. Enter your email address and select Next.
  3. Select Sign in using SSO. If everything is working correctly, it should redirect you to Checkout.com.