How do I set up SSO for my account?
Last updated: April 9, 2026
Configuring Single-Sign-On (via SAML or OIDC) for your Paxos Organization lets you and all your teammates log in to Paxos using the credentials stored in your organization's identity store (Okta, Microsoft Entra/Azure AD, PingFederate, Active Directory, or any other SAML/OIDC-compatible provider).
Note: This documentation assumes that you already have an OIDC or SAML Identity Provider (IdP) set up. Paxos currently supports Service Provider (SP) initiated login only.
Recommended protocol: If your IdP supports both SAML and OIDC, choose OIDC — it is simpler to configure and less error-prone.
1 - Onboard and set up Passkeys
To set up SSO for your Paxos account, you'll first need to create an account using Passkeys and complete Onboarding into Paxos. You can find more information on Onboarding here.
All accounts must be first created with Passkeys as the authentication method. Once SSO setup is complete, Passkey authentication will be removed for your account.
2 - Identify your Authentication protocol
To start, identify your Authentication Protocol as SAML or OIDC (preferred). The setups for these are slightly different.
3 - Raise a support ticket
Raise a support ticket indicating that you'd like to migrate to SSO as your access method. Within your ticket, please provide the following information depending on your protocol.
OIDC
Inform Paxos that your Authentication Protocol is OIDC.
Provide the following details securely via SendSafely (a link will be provided by the support agent):
Where to find it in your IdP
Client ID
A unique identifier for the app you register in your IdP
Azure/Entra: App Registration → Application (client) ID
Okta: OIDC app settings → Client IDClient Secret
A secret credential associated with the app
Azure/Entra: App Registration → Certificates & Secrets
Okta: OIDC app settings → Client SecretIssuer URL
The base URL of your IdP's OIDC discovery endpoint
Azure/Entra:
https://login.microsoftonline.com/<your-tenant-id>/v2.0
Okta:https://<your-okta-domain>Organization Name
Your company name as it should appear in the Paxos Dashboard
—
IdP Group Name for Org Admin
The exact name of a group in your IdP whose members will be Paxos Organization Administrators
See group name note below
⚠ Group name — required for all users to access the Dashboard: A "group" is a security group defined in your IdP (not a distribution list or email group). You must provide the group name exactly as it appears in your IdP (case-sensitive). Members of this group will be granted the Organization Administrator role in the Paxos Dashboard and will be able to set up access for the rest of your team. Other users will have no roles until an Org Admin logs in and configures role mappings (see Step 4).
Examples by IdP:
Microsoft Entra / Azure AD: Security groups often follow naming conventions like
sg_PaxosDashboardAdmins(wheresg_denotes a security group)Okta: Group names are user-defined, e.g.
paxos-dashboard-adminsorPaxosOrgAdminsActive Directory / LDAP: e.g.
PaxosDashboardAdmins
Required IdP configuration — OIDC scopes: Your IdP application must be configured to include the following scopes/claims in the token: openid, profile, email, groups. If the groups claim is missing, users will see a 403 Forbidden error after login.
Okta-specific note: The groups scope is not included in Okta's default authorization server by default. You must add it explicitly — see Okta's support article for instructions.
SAML
Inform Paxos that your Authentication Protocol is SAML.
Provide Paxos with the endpoint URL for your Metadata document.
Example: https://company.okta.com/app/exkk73qsddqTsGNS5d7/sso/saml/metadataProvide Paxos with the Organization Name you would like to use.
Provide Paxos with the IdP Group Name for the Organization Admin.
⚠ Group name — required for all users to access the Dashboard: A "group" is a security group defined in your IdP (not a distribution list or email group). You must provide the group name exactly as it appears in your IdP (case-sensitive). Members of this group will be granted the Organization Administrator role and will be able to set up access for the rest of your team.
Examples by IdP:
Microsoft Entra / Azure AD: Security groups often follow naming conventions like
sg_PaxosDashboardAdmins(wheresg_denotes a security group)Okta: Group names are user-defined, e.g.
paxos-dashboard-adminsorPaxosOrgAdminsActive Directory / LDAP: e.g.
PaxosDashboardAdmins
Required SAML attribute mappings: Your IdP must be configured to send these three attributes in the SAML assertion (case-sensitive). If any are missing, users will see a 403 Forbidden error after login:
name— the user's full nameemail— the user's email addressgroups— the user's group memberships
SAML metadata binding: Your metadata file must include HTTP-Redirect binding. HTTP-POST only is not supported by Paxos.
Encrypted assertions: By default Paxos requires encrypted SAML assertions. If your IdP does not support assertion encryption, let the support agent know — this can be disabled for your integration.
4 - Configure SSO & Provision Access
OIDC (Preferred)
Once Paxos has received the necessary information above, we'll provide you values for your Sign-In Redirect URI & Initiate Login URI via SendSafely. All other fields for your OIDC configuration take default inputs.
Note: Items marked in bold italics below will be provided by Paxos via SendSafely.
Detailed configurations:
Redirect URL — (Provided by Paxos via SendSafely)
Initiate Login URL:
Sandbox — https://dashboard.sandbox.paxos.com/login?sso=true
Production — https://dashboard.paxos.com/login?sso=true
SAML
Once Paxos has received the necessary information above, we will provide an encryption certificate, a signing certificate, an Organization Identifier (Org ID), and URL values for your IdP's configuration via SendSafely.
Note: Items marked in bold italics below will be provided by Paxos via SendSafely.
Detailed Configurations (terminology assumes Okta; exact naming conventions may vary by IdP)
Single sign-on URL: (Provided by Paxos via SendSafely)
Use this for Recipient URL and Destination URL
Audience URI (SP Entity ID): (Provided by Paxos via SendSafely)
Default RelayState: unset
Response: Signed
Assertion Signature: Signed
Signature Algorithm: RSA-SHA256
Digest Algorithm: SHA256
Assertion Encryption: Encrypted
Encryption Algorithm: AES256-CBC
Key Transport Algorithm: RSA-OAEP
Encryption Certificate: Upload the Encryption Certificate (.crt) sent by Paxos via SendSafely
<EntityName>EncryptionCertificate.crt
Signature Certificate: Upload the Signing Certificate (.crt) sent by Paxos via SendSafely
<EntityName>SigningCertificate.crt
Enable Single Logout: Enabled
Single logout URL:
Production — https://dashboard.paxos.com/
Sandbox — https://dashboard.sandbox.paxos.com/
SP Issuer: unset
Signed Requests: Enabled (Validate SAML Requests with signature certificates)
Authentication Context Class: PasswordProtectedTransport
Honor Force Authentication: Yes
SAML Issuer ID: (Provided by Paxos via SendSafely)
Maximum app session lifetime: Disabled
Required Attribute Mappings (case-sensitive):
nameemailgroups
First Login & Role Mapping
Who logs in first matters. After SSO is configured, an Organization Administrator (a user who belongs to the Org Admin group you specified in Step 3) must be the first person to log in. This unlocks the Role Mapping interface for your organization.
Once logged in as an Org Admin:
Navigate to Settings → Role Mapping in the Dashboard.
Assign your IdP groups to Paxos Dashboard roles.
Note that role mappings are per Entity — if your Organization has multiple Entities, you must configure mappings for each one separately.
Until role mappings are configured, other users (those not in the Org Admin group) will see a 403 Forbidden error when they attempt to log in. You can find further information on roles on our Docs page here.
Testing in Sandbox First (Recommended)
Before configuring your production SSO integration, we recommend setting up and validating the full login flow in the Paxos sandbox environment:
Sandbox login URL: https://dashboard.sandbox.paxos.com/login?sso=true
The support agent will provide sandbox-specific configuration values alongside production ones
Once login and role mapping work correctly in sandbox, proceed to production configuration.
Troubleshooting
If you encounter issues during or after SSO setup, see our SSO Troubleshooting Guide.