1. Support
  2. Opening or managing an account
  3. SSO

How do I set up SSO for my account?

Updated

Configuring Single-Sign-On (via SAML or OIDC) for your Paxos Organization lets you and all your teammates log in to Paxos using the credentials stored in your organization’s Okta, Active Directory, LDAP, or other identity store that has been configured with a OIDC or SAML Identity Provider. 

Note: This documentation assumes that you already have a OIDC or SAML Identity Provider (IdP) setup. Paxos currently supports Service Provider (SP) initiated login. 

Here's how you get started.

1 - Onboard and set up Passkeys!

To set up SSO for your Paxos account, you'll first need to create an account using Passkeys and complete Onboarding into Paxos. You can find more information on Onboarding here.

All accounts must be first created with Passkeys as the authentication method. Once SSO migration is complete, Passkey authentication will be removed for your account.

2 - Identify your Authentication protocol

To start, identify your Authentication Protocol as SAML or OIDC (preferred). The setups for these are slightly different.

3 - Raise a support ticket

Raise a support ticket indicating that you'd like to migrate to SSO as your access method. Within your ticket, please provide the following information, depending on if your Protocol is SAML or OIDC.

SAML

  1. Inform Paxos that your Authentication Protocol is SAML;
  2. Provide Paxos with the endpoint URL for your Metadata document and the Identity Provider group for the user who will be the Organization Admin for your Organization;
    Example: https://company.okta.com/app/exkk73qsddqTsGNS5d7/sso/saml/metadata
  3. Provide Paxos with the Organization Name that you would like to use.

OIDC

  1. Inform Paxos that your Authentication Protocol is OIDC;
  2. Provide Paxos with your Client ID, Client Secret, Issuer URL, Organization Name, and the Identity Provider group for the user who will be the Entity Manager for an Entity within your Organization through SendSafely

Once received, Paxos will provide you values for your sign-In Redirect URI & Initiate Login URI. All others fields for your OIDC configuration take default inputs.

Use the Role Mapping interface to assign roles to other team members and add them to the Paxos Dashboard. You can find further information on roles on our Docs page here

4 - Configure SSO & Provision Access

OIDC (Preferred)

Once Paxos has received the necessary information above, we'll provide you values for your sign-In Redirect URI & Initiate Login URI. All others fields for your OIDC configuration take default inputs. 

Note: In the Detailed Configurations below, items marked bolded and italicised will be provided by Paxos via SendSafely.

Detailed configurations:

  1. Redirect URL - (Will be provided by Paxos via SendSafely as Single sign-on URL)

  2. Initiate Login URL:

    1. Sandbox - https://dashboard.sandbox.paxos.com/login?sso=true

    2. Prod - https://dashboard.paxos.com/login?sso=true

Once that's done, you'll be able to login in to dashboard.paxos.com (production) or dashboard.sandbox.paxos.com (sandbox). Then, use the Role Mapping interface to assign roles to other team members and add them to the Paxos Dashboard. You can find further information on roles on our Docs page here

SAML

Once Paxos has received the necessary information above, we will provide an encryption certificate, a signing certificate, & an Organization Identifier (Org ID), and URL names for your Identity Provider’s Single Sign-On, Recipient, Destination, and Audience URLs through SendSafely.

You should then configure your SAML integration with the above information.

For example, if your identity provider is Okta: 

    1. Upload encryption and signing certificates 
    2. Set Single sign-on URL, Recipient, and Destination URLs to the values provided (all lower case, letters, dashes) - these are typically the same value
    3. Set Audience URL (SP Entity ID) to the values provided.

Note: In the Detailed Configurations below, items marked bolded and italicised will be provided by Paxos via SendSafely.

Detailed Configurations (terminology assumes Okta, exact naming conventions may vary)

  1. Single sign-on URL: (Will be provided by Paxos via SendSafely as Single sign-on URL)

    • Use this for Recipient URL and Destination URL

  2. Audience URI (SP Entity ID): (Will be provided by Paxos via SendSafely as Audience URI)

  3. Default RelayState: unset

  4. Response: Signed

  5. Assertion Signature: Signed

  6. Signature Algorithm: RSA-SHA256

  7. Digest Algorithm: SHA256

  8. Assertion Encryption: Encrypted

  9. Encryption Algorithm: AES256-CBC

  10. Key Transport Algorithm: RSA-OAEP

  11. Encryption Certificate: Upload the Encryption Certificate (.crt) sent by Paxos via SendSafely, identifiable by the following filename:

    • <EntityName>EncryptionCertificate.crt

  12. Signature Certificate: Upload the Signing Certificate (.crt) sent by Paxos via SendSafely, identifiable by the following filename:

    • <EntityName>SigningCertificate.crt

  13. Enable Single Logout: Enabled

  14. Single logout URL:

    • Prod - https://dashboard.paxos.com/

    • Sandbox - https://dashboard.sandbox.paxos.com/

  15. SP Issuer: unset

  16. Signed Requests: Enabled (Validate SAML Requests with signature certificates)

  17. Authentication Context Class: PasswordProtectedTransport

  18. Honor Force Authentication: Yes

  19. SAML Issuer ID: (Will be provided by Paxos via SendSafely as SAML Issuer ID)

  20. Maximum app session lifetime: Disabled

  21. Required Attribute Mappings (case-sensitive):

    • name

    • email

    • groups

Once that's done, you'll be able to login in to dashboard.paxos.com (production) or dashboard.sandbox.paxos.com (sandbox), and use the Role Mapping interface to assign roles to other team members and add them to the Paxos Dashboard.

Was this article helpful?
0 out of 1 found this helpful

Articles in this section